1. It looks like perimeter security implementation. It means that gateway acts as a centralized authorization point at the network perimeter. It means all security checks happen at the gateway entrance and once a request passes the gateway, microservices trust each other completely.This decision is workable and many adopt it, but there are also drawbacks. If one microservice is compromised, it can potentially access any other service without additional security checks. Also, relying solely on network security for internal service communication is a significant security risk.

How can other services thust each other? There are several approaches, such as zero-trust tolerance, mTLS, and OAuth. Just check them out. Perhaps some of them will be preferable for your needs.

So, you definitely have to verify JWT in each microservice despite the fact that it adds additional overhead.

2. Yes, it is common to include auth details like userID, roles, permissions, and scopes within a JWT. It's one of the benefits of a JWT. It's called authorization context. BTW, with the authorization context, each service can validate permissions for specific operations.

3. I recommend you using a separate DB for each service. Using a single DB is anti-pattern and very bad idea. You will get it when your application grows.