We will want to filter API calls to only allow contact.get, always including contact ID and time-limited hash, and only returning opt in and opt out fields. If that's not possible in configuration, write a little custom API call to wrap contact.get with those filters and configure civiproxy to only allow this custom call.
https://docs.civicrm.org/civiproxy/en/latest/
https://github.com/systopia/CiviProxy
https://github.com/jackgleeson/CiviProxy