Setting status to needs review so that the maintainer can decide if they still need more info
Expanding on Kristen's idea to keep this functionality in one place rather than special cases popping up for each module, I believe a custom hook would be more appropriate. This would allow developers to override the list of users that are set to have their passwords expire by calling a hook like HOOK_password_policy_expired_list_alter($valid_list), doing their own checks on a per user ID basis, and then returning the $valid_list of users to have their passwords expire.
This would let any third party module take care of special cases, whether that means modules such as externalauth decide to handle it natively, or an in-shop developer creates a private custom module to handle their specific use case for their organization.
Contributing a patch based on the merge request so that these changes are available to developers using composer patches, until it gets merged.
Updating issue status
I made a fork "3133989-retrieve-all-submissions-resource" which applies the patch from comment #13. I also made a small change:
Instead of returning the webform submission data, I return the entity and the data keyed respectively. Each sid is an array with [entity] and [data] keys so that you can access the webform subsmission entity, or the data (responses). This can be useful for instance if you need to access the uuid so that you can use one of the other resources to patch a particular submission, or to retrieve a file, etc., which wasn't available in the submission data array.
bryden β made their first commit to this issueβs fork.
Moved a generic sentence about both CSS and JS libraries to the main topic heading, out of the JS section.
Added new sub-headings for adding CSS/JS assets to the .libraries.yml file.