For item #2:
I don't have any rootpw defined in any of my systems, as I use
SASL/GSSAPI authentication for all write-related activity. I assume for
the back-config stuff then, it will be possible to define an ACL saying
what principal can write to that DB? Or a configuration directive?
I guess that, as soon as back-config uses the frontend's access checking
capabilities, your guess is correct. I only fear transient cases, when
access control is not ready yet but you want to write a configuration. In
those cases you'll likely need the rootdn.