PKI management for mTLS documentation?

Some things I cannot find in Syncthing documentation on the topic of mTLS and PKI management:

  • are the un-authenticated (REST-based) Syncthing server status/version also proctected behind this mTLS scheme?
  • Which directory are the client PKI keys stored for use with mutual TLS (mTLS)?
  • Can we have separate client PKI for each device? (Good for excision of a stolen device)? (search digging got me this $HOME/.config/syncthing.)
  • why are there not a separate directory for data (server) and --config (client) … as a default?

I have read the following:

Maybe these clarify some things;