Glad to hear the list has been helpful! :)
So right now there assumption (obviously counter to spec) in the client is that there is one server. I've been taking a look at implementing bootstrap and its becoming clear that Servers and Security objects need to be first-order citizens that would allow for better reasoning about requests both by the library and by the user of the library. I would assume in the future the methods on LwM2mInstanceEnabler will need to pass the Server as a parameter (and other things once thought is given to enforcing ACL).
As for your second question, yes that is a bug. The issue is line 175 of ObjectResource in leshan-core which should read something like:
LwM2mResponse response = nodeEnabler.execute(new ExecuteRequest(URI, exchange.getRequestPayload(), ContentFormat.fromCode(exchange.getRequestOptions().getContentFormat())));
instead of just using the new ExecuteRequest(URI). I'm sort of on other things right now but I guess if it would be possible to try out that fix and see if it would work then that would be a simple fix to PR in :)
Cheers,
-JF