Yup, I understand.
Well, you can do all of that, in varying degrees.
The "focus on lists and items" and information validation is easy. The api "component" works just like the other two (site and admin). You can show whatever you want. Put model and controller stuff in your api section and do processing there just like you would if it were an admin or site form. If you *don't* have a model section then it defaults to the admin models. You may well want to override the display method in your JsonapiView class, otherwise your stuck with a "links, data, metadata" format of json output.
I saw a video (of George WIlson) talking about the access thing. Before what he said, when you set up your api paths (errr, how are you making it work without the plugin??? That's intriguing to me) in the plugin, there's a fourth parameter to "createCRUDRoutes" that I'm guessing allows access *without* any certification. However, to return to George, he said that application validation is probably best done with oAuth. I'm afraid I've heard of that but don't know much more. Might be an option?
As for personal login details, I'm expecting to do that in a POST call just the same as I used to, but I haven't got that far yet so I can't be certain. I can't imagine those values will be unavailable. It's (one of) the next things on my list.