Implement stateless mode using f:view "transient" attribute
The big problem with this stuff is what happen when view protection is considered and the resulting relationship between the state mode used (client or server) and mixing everything together.
For example, view protection relies on what's inside javax.faces.ViewState hidden field and how it is encoded. Theorically javax.faces.ViewState protects against CSRF attacks, but with a special stateless token it could be possible to use that token into non stateless views. We should prevent that adding proper checks into the StateManagementStrategy and the Restore View phase.
In theory, it is necessary to extend org.apache.myfaces.application.StateCache abstract class to reflect the necessary logic to ensure protected views are always secured, even if they are declared as stateless.