Note that I’ve been reading this purely from an HTTP point of view.

The only thing related to HTTP is that data is exchanged over HTTP, so it’s not really HTTP-based.

With regard to terminology, it could be cleaned up to distinguish between the actual HTTP protocol and the requirement (?) to use only HTTPS.

One other thing I noticed is the requirement to exchange JSON in UTF-8:

"All files MUST use UTF-8 encoding [STD63] and MAY be compressed with GZIP [RFC1952]."

Being UTF-8 encoded is already required by
https://www.greenbytes.de/tech/webdav/rfc8259.html#rfc.section.8.1

So I’d avoid making this a BCP 14 requirement (just mentioning it, of course, is fine).