about 1. yes, you absolutely shouldn't use the owner key unless necessary. its exposing the account to a small but unnecessary risk. unless someone gets a hold of your script and you stored it in the script itself. then your account is lost. since you can change the master password with your owner key. and with that all the other private keys.
about 2. it does essentially exactly what you are doing if you look at the beem source code. for examples just take a look at some of my tutorials. the lastest about submitting battles uses a lot of custom json stuff, the rental tutorial as well.
but essentially it works like this (you can load the keys through various other means, that is just the easiest for explaining):
hive: Hive = Hive(keys=[posting_privatekey,active_privatekey])
hive_id: str = "sm_stake_tokens"
request = {"token": "SPS", "qty": qty}
hive.custom_json(hive_id, json_data=request, required_posting_auths=["user"])
RE: Opening a NFT card shop in Splinterlands for $25+