Perhaps you are overthinking it.
All my apps use hash routing, because they are old.
All my new apps will use the new routing.
I never open a form, I always redirect somewhere. The URL (or hash) has all the info to show what I want to show, like what checkboxes or radio buttons to check, what’s on every input element, etc. The URL contains the full state of the form. If something needs to be loaded from the server, the form loads everything required in one round trip. (My next app may use KeyChain)
The main reason is that apps and other tools send notification emails with messages like “something is ready, click here to see it”, and the here has to be a link that starts the app and shows whatever is ready to be shown.
Other reasons are the management of the back and forth buttons, the “you want to save before leaving the page” warnings, the ability to copy the current URL and send it in an email.
I don’t think the permission checks you are worried about are a problem at all. All server functions need to check the user’s permissions anyway, regardless of whether it’s single page or not. If they didn’t, you would have a security hole, regardless of whether it’s single page or not.
Why choosing one URL design versus another, that’s easy: one path per form. In some cases I assign multiple paths to the same form and make the form flexible. For example I may use the same form to both create and edit an entity, but there would be two different paths. Then the form would adjust the behavior depending on the path.