Regarding some of your other points, I have built systems where the DAO objects were directly exposed. "Views" of the objects were exposed by nulling out/partially selecting data and then configuring the JSON serialisation lib to omit nulls. It works quite well for responses, not so well for requests (I'd say it doesn't scale beyond trivial endpoints)