whether we need a completely new role/JWT just for communication between proxy & broker?

Yes, you will need a new token with a new role. The token's role will be in the

proxyRoles

list on the broker and the function worker. The role will also need sufficient permission to do whatever the proxied clients will attempt to do. The docs describe your options for authorization. I often see users make the proxy's role a super user to simplify the deployment, but that can add some risk. The motivation for the change to a stricter proxy role configuration in 3.0 is to prevent certain kinds of misconfiguration that could occur. The misconfigurations are primarily for mTLS, but can also occur in JWT based auth for certain edge cases.

In the interests of just "trying something", I set

proxyUsers=admin-user

but then the broker/function worker won't start.

This fails because any role that is in the

proxyRoles

set can only proxy other clients. It cannot connect directly to the broker as a standalone client.

Actually, should we even need auth between function worker and broker if they're on the same host?

This completely depends on your risk profile. One important detail is that the function worker connects to multiple brokers, so it isn't technically just connecting to the local host. Also, the broker connects to other brokers. Let me know if this helps.

Also, I can re-review the docs in my day tomorrow, but if you have specific feedback about anything that is confusing, I'd really appreciate your input.