I would not recommend handing security “parts” to the reverse proxy. Sure reverse proxy can do things like tls termination, rate limiting and authentication but that also introduces a single point of failure.

For a zero trust architecture, implement it on both sides. The reverse proxy as well as any upstream backend. This way if any malicious software was able to bypass the proxy, it wont be able to abuse the protected service.

The trade off here is added complexity and maybe a slight performance loss in processing tls and authz/authN twice. But should be minimal. Also things like ssl pass through can be utilized in some cases.