In this case I would use the Graph APIs (I think they are about to be released as GA) or an Azure Function / Azure Web API (depends on the complexity of the operations) solution to make calls utilizing the Add-in context (Client ID / Client Secret).

In this case, I would use to call an web API which could be based on microservices architecture for contacting different LoB systems - including SP Online, on-premises server, etc.

This architecture could give you the benefit of running different DLLs (required for both online and on-premises - they use different DLLs) in their own context (as a daemon). For example, in our implementations we call these "adapters" and we just plug them into our "service bus" application, expose adapter properties (for example these could be credentials or query parameters) through an interface and we work with any LoB system that way.

Kiril - I am sorry but I think you are thinking (overthinking) this question way beyond its intention. Microservices arch. / Diff. LoB... These are not my questions.

I am not sure if something has fallen thru the translation here.