Regarding #1, I've found that Phoenix + LiveView has been helpful for these cases. They have great form validation tools using Changesets and the `phx-change` attribute [1]. You can redact certain fields [2], and even treat certain fields like virtual fields (like password not being stored vs the password hash being stored) [3].
Of course, the (potential) drawback is in using Elixir for both front-end and back-end which may be a tough sell to a client or employer.