Saket,
1) It's hard to say because it depends on your problem. Paging doesn't sound important so that seems safe. For security, it is likely the remote service will not handle security the way your application needs. Since security is a core JEE concept, I'd be especially wary of oversimplifying in this area.
2) You can absolutely leave this to the (fictional) developers. I made an assumptions that the developers know JPA and
JSF and can be trusted to implement given a high level design. The fact that JPA 1 doesn't support a relationship type is an implementation detail that would need to be worked around in practice. The actual design doesn't care about that. And in a later version when it is supported, the design doesn't change. The opportunity for a better implementation merely exists.