Thanks. Re point 3: even when the tx is relayed, the user EOA will be in the call stack, right? so tx.authorizer would work then?
Re point 2: there are proposals to explore, but we all agree there is no clear solution except “upgrade the DEX to KYC”? That is a huge issue.