Great questions, On the round-trip / mapping: you're right that Presidio won't restore on its own. Kong is the wrapper. When it sanitizes the request, it builds a little map of original to redacted value for each entity and keeps it in per-request context (OpenResty's ngx.ctx). On the way back it just does a string replace to swap the originals back in, then throws the map away. It lives for exactly one request. Nothing cached or persisted.
On score being irrelevant without context: there's genuinely no context field, you're right. But score still does something. It's not a firing gate (regex matches or it doesn't), it's a tiebreaker. When two recognizers flag the same span, highest score wins. Built-in Presidio recognizers often sit around 0.85, and the custom default is 0.5, so a custom pattern can lose to a built-in on an overlapping span. If yours "isn't taking effect," bump the score. Just don't treat it as a sensitivity dial. Lower doesn't catch more, higher doesn't suppress weak matches.
On built-in categories having a threshold: they're a fixed list, not individually score-configurable from the plugin. Any actual score_threshold cutoff lives inside the PII service (Presidio's AnalyzerEngine), not the Kong config, and isn't documented. The plugin applies no cutoff of its own, it just forwards your patterns and scores straight through.