Under these circumstances, the RSO has transferred most of the liability for interacting with a particular client to the ASO. This, I believe is the UMA Legal MVP.
In a real-world use-case, the RSO may not be allowed to duck this much liability. For example, the RSO might be required by law to notify the RO that a particular Client / RqP is on an industry watchlist.
In this case, the Client / RqP is providing attributes to both the AS and the RS. The RSO bears somewhat greater liability unless it can warn the RO via UMA the same way it might warn the RO via OAuth.
Can the ASO bear the responsibility of warning the RO or must the RS warn the RO directly?
As far as I can tell, this is the essence of UMA legal. Everything else is just an elaboration on one of the four bullet points above. This, incidentally, is the use-case I'm discussing with the US Office for Civil Rights.
Adrian