The situation in your question 1 becomes complicated by the fact that a bookmark manager can create bookmarks as well. So now we can't assume that the code in a bookmarklet is user-provided.
Any extension with the "bookmarks" permission can create a bookmarklet and execute it.
This whole policy issue could be solved by the ability to execute user-provided code in the isolated world instead of the main world. As wOxxOm said, this functionality is a must for many, many extensions such as user-script managers and in general any extension that allows the user to provide their own logic.
Unfortunately, we are all entirely clueless about when (or if) this functionality will become part of MV3 before MV2 dies. Only 8 months remain for this deadline and MV3 is still full of bugs and missing features. At the current pace of improvement, it doesn't look like MV3 will be ready to replace MV2 by the end of this year.
Your safe bet for now is to submit your MV3 version as a beta version (while you keep your MV2 version as the main version) and to implement the approach given by wOxxOm. If your MV3 version is approved by the review staff, then your problem is solved.