They can be stored on-chain for example to start and then a more robust storage solution can be added.
It needs to be a different SDK for this. Because there is no immediate write access to storage and there is ability to call out into the internet. So might need a modified version of SDK or just few extensions for this.
This is not required for security - the only thing required for security is validators adopting it and registering that they are running it via the key they use for validation.
It might be useful to plug into nearcore to be able to read state of blockchain, but I think v1 doesn’t need that. It can be just running standalone runtime to avoid writing more code.
This is just part of Worker that reads off the RPC or whatever the requested jobs and starts the runtime to process things and later signs a transaction to post it back also via RPC. Of cause can be bundled with a validator but that will create more security issues, so it’s better to make it isolated.
You can do a lot there to ensure security over time, but I think first version can be way simpler.