OK, thanks. Understanding your perception of my scope is helpful too :-)
On the bbPress permissions: this seems like another reason for me to stick with the REST approach for now. The WP-API makes it easy for me to make REST calls via Ajax for the current user who already has an authenticated session going in the browser. By contrast, it seems that creating a separate authentication and visibility control layer in GraphQL or whatever would be prone to errors; in this case, security errors!
Regarding re-working the bbPress front-end: yes, it basically means creating code in JSX that is a snap-in replacement for the relevant bbPress template(s). I’m not looking to React-ify the entire bbPress front end, though, just considering React-ifying this one view, which is basically just one template.
Thanks for your articles and the chat here.