How to structure a Node, Express, Connect-Auth and Backbone application on the server-side?

I think you have the right idea, although I'll throw out a couple of thoughts:

• Defining Routes - If you are defining a lot of routes, especially with JSON, you may want to define them dynamically via an MVC type framework. You can find a good example of that in the express samples here. It would save you a lot of handwritten routes and you could pass node objects back to the client as JSON without doing much else on the server side.
• Backbone on the Server - If you want to go a little crazier (and I have not ever used this technique), Development Seed have built a framework called bones that uses backbone on the server side.
• Login Example - There is a good tutorial over at DailyJS regarding user session management.
• Accessibility - As long as you don't have accessibility concerns, providing data via a REST API makes sense. If you have to worry about 508 compliance or other javascript limitations you might run into problems.

As for security, setting your session timeout to a lower value and choosing an appropriate secret key would probably go a long way toward making sure someone can't generate session cookies (by default the actual data isn't stored on the client). I'm not sure what algorithm node.js uses to generate session cookies. Here are some details on the express session middleware.