1) How much data should a payment services provider be allowed to capture for fraud-detection purposes?
2) What should middleware be allowed to do without the end developer's consent?
The first one I'm not gonna answer because I'm pretty unhappy with the state of non-cash payments in general and this would turn into a rant.
For 2) I think the answer is anything that leaves the process boundaries (or frame in the case of the web) should be explicitly requested by the developer and if it's a long-running task (like mouse movement tracking on a web page) the developer should be able to abort it at any time. If it's associated with any kind of storage that clearly belongs to the developer's app the developer should be able to clear that storage at any time.