Normally I wouldn’t think you’d be moving everything over; most of the content is relatively static, especially if you build with this intent.
I think Push Publishing would manage it fine most of the time and is reliable. I think this is the overwhelming best practice.
You didn’t mention Site Copy, which actually works pretty well, but as you note, doesn’t do the Permissions.
I also tried to use the API to do Roles, but it is quite limited.
I do dev and prod on the same site but with a Velocity content type. ( Each widget code has velocity, js and css in one content type) and a different structure tells the template which version to use. I test it on one test site and then roll it out to all the sites I want to…but all my sites use one location for velocity code (I have one Shared site that has all the shared items - multiple versions of the various widgets).
I built a Chrome Extension to manage my permissions (well, set the exact permissions I want) - you could easily fork or extend this.
https://community.dotcms.com/t/permission-settings-via-chrome-extensions/103?u=markpitely
M