You’re asking for simple answers to complex questions, and I don’t think you’re going to be able to design your application one question at a time. You might consider engaging with the Professional Services team to contract them to review your requirements and possibly build an application for you.
If you truly want this to be end-user driven, then you need a way for them to determine which Fixlets are relevant. That might be the Client Compliance API, or a custom Dashboard in the Self-Service App. or a website they visit that is populated by REST API queries to the server. Whatever results are presented needs to be filtered to the fixlets you want the user to be able to select, i.e. filtering out BES Client upgrades & uninstalls, deployment of new licensed software, etc.
You need a way for the user to select which fixlets they want to deploy. That’s likely either a Self-Service App Dashboard with links to some custom web service (passing along the Fixlet ID, Site, and Computer ID), or an independent Web Service. In either case the Web Service should authenticate the user and verify they should have the rights to deploy fixlets on the given computer (don’t want one user being able to deploy fixlets to someone else’s computer).
Then you need a way for the web service, having been requested by the user, to deploy fixlets to the end computer. That’s a relatively straightforward REST API request to send the action. The web service will need an API account that is allowed to send actions to the computers.
There are security considerations throughout - how to authenticate users, how to assign and verify their rights on the computer(s), storing credentials for the REST API, managing network ports and firewall rules, and a lot of this is outside of BigFix itself, it will be up to you and your application to manage.