I wrote the whole scenario exactly in order to show that point 4.1. exists. My view is that ability for a client app to request (at least public…) resources directly from their sources is a key feature that ActivityPub C2S gives us. Please read also related thread CORS restrictions - #3 by koehn
@andstatus app actively uses this feature, which allows it to get information from the first hands, without a bottleneck of a server, to which app is logged in…
Regarding objects with restricted access, a client app could (as I see now…) also access Server2 directly using OAuth tokens obtained from Server1 (with authenticating Server1 having some trust relation with Server2… )