PKI management for mTLS documentation?

Some things I cannot find in Syncthing documentation on the topic of mTLS and PKI management:

• are the un-authenticated (REST-based) Syncthing server status/version also proctected behind this mTLS scheme?
• Which directory are the client PKI keys stored for use with mutual TLS (mTLS)?
• Can we have separate client PKI for each device? (Good for excision of a stolen device)? (search digging got me this $HOME/.config/syncthing.)
• why are there not a separate directory for data (server) and --config (client) … as a default?

I have read the following:

• Discovery server setup and client certificates - #6 by Nummer378
• Exclude, not use, "Folder ID" when creating Folder Key
• Auto accept folders, default folder per device - #3 by oistein
• Star pattern vs full peer-to-peer

Maybe these clarify some things;

https://docs.syncthing.net/users/config.html

https://docs.syncthing.net/dev/device-ids.html