I found a way to do exactly what I need.  I'm going to assume that others might benefit from it so here's a summary of what I did.

The inbound email that I need to receive will be sent to a shared mailbox in our Office 365 environment.  I set a flow option to forward anything coming into that mailbox to our SN instance.

On the ServiceNow side, I created a user who's email address is the same as the shared mailbox.  I then created a new inbound action, type = New, that has an order of 50 so that all inbound email hits it first.  The action starts by checking if the email is for Guest.  If not, the mail moves on to higher order actions.

If the mail is identified for Guest, I do a lookup in sys_user for sys_user.email == email.to.  I put everything into lower case to simplify things.  If I find the email address I treat the email as legitimate and create an incident.  Part of that includes determining an assignment group via table lookup.  I also prepend EXTERNAL EMAIL FROM <sender> to the short description so that anyone looking at the incident knows that it is not from an internal source.  Finally I add a note to the email log indicating that it was processed by this action.  The Caller on incidents created from external emails shows as Guest.  That lets me be a bit lazy because Guest doesn't get the incident created and other notifications that would go to legitimate users.

Before starting any testing, don't forget to re-activate the Guest user.

If I don't find a match on the email address lookup, I process the email into the Junk mailbox.  One gotcha to be aware of is the BR Set Inbox.  When accepting the email it is no problem.   When attempting to put it in the junk pile it needs to be modified.  I added some conditions that will be exclusive to the ones that I am putting there by including an error_string on the email which, among other things, the condition in the BR checks.

Very important, if the email is handled by the inbound action I created, the last thing the action does is stop further processing programmatically (event.state="stop_processing";).  You cant just use the checkbox on the inbound action form because that would prevent non guest emails from being processed.

Clearly, allowing inbound email from unknown sources has the potential to introduce spam and worse into the process.  The way we see that issue is this.  Our O365 environment does a very good job of filtering out such messages.  Add onto that the filtering that ServiceNow does before allowing the email in and we get a very high confidence level that such bad mail will not get into the instance.  Anything from outside that is not directed to one of our shared mailboxes goes straight to the junk heap.  Our internal groups that manage the shared mailboxes are used to filtering out any spam type emails so again lower risk.

I've run this solution past a few developers who are far more experienced on the platform than I am as well as our security team and so far I've passed muster with everyone.

I realize that this may not be the solution for everyone but I do hope that it can help a few people in the same situation.  If you have specific questions, please contact me.

:{)