3. The 'Use the following URL...' field is what is used to calculate the password when an Account match is found.
Presumably you mean the 'Use the following text...' field - as you point out, in the newer versions this was changed to emphasise that it didn't have to be a URL.
But of course...
4. Currently, the URL comparison is a 'contains' search - hence the need for regex/wildcard patterns. This was also the source of some of the confusion...
OK, some of this is news to me. I thought the current (visited) URL was matched directly against each URL pattern, not against a truncated form.
Truncated form != 'contains'.
Let me check my understanding based on the above...
If I visit a website at https://foo.bar.com/some/path and for the sake of example, in the settings for the default account I have ticked Protocol and Domain but not subdomain(s) or the other stuff, then PWM will look through each of the URL patterns (whether they are wildcards or regexps) for a pattern which matches "https://bar.com". If it finds one, then it applies the settings from the account which had the matching pattern. Is that right?
Yes, but only for custom accounts (you only mentioned 'Defaults' above, which has no 'URL patterns').
In that case I would expect all my regexp patterns to break if I tick the Protocol checkbox, since all my patterns are of the form: https?://[^/]+\.bar\.com/.* which would not match "https://bar.com" (it would match "https://foo.bar.com" though).
No, the URL components only affect the CALCULATED URL, which is only used by the 'Defaults' account. It is not used during pattern matching - at least for wildcard patterns (I just tested this and it still detected the tested site fine after I unticked the 'protocol' component).
Currently, modifying the URL components does NOT affect custom account passwords, but if this idea were implemented, because the URL components would become account specific AND because the calculated URL would be used (unless something was entered into the 'Use the following text...' box), yes, it would affect the password, but it still would not affect pattern matching...
To check my understanding again, you are proposing that the choice of security mode (default vs. advanced) would be per-account?
Yes...