Number 1 should be straightforward to do, you just need to build and upload the trigger(s) in a separate DAR from your main Daml code. Then you can set it to run as UserAdmin (the Daml Hub operator party), or any other party.
For Number 2, we don’t (yet) support multiparty JWTs. What you can do instead is add the Daml Hub Public party as an observer to the Role contracts, and then stream the contracts with the Public token. There is some information about how to use the Public party on a Daml Hub custom UI in this thread, and of course in our docs as well.