I would seriously consider setting up a graph QL sever that the browser can directly communicate with using zero-trust authentication. With this model the stack is simplified and entire traditional middle layer/man is eliminated. The one thing I’m not familiar with though is whether fine grain access control can easily be introduced into this structure without a middle server layer.