1. Do you mean everything, including deleting users, content type etc, or just be able to manage all content but not content permissions? If the latter, you don't need a virtual role, this is a built-in permission level on content called 'Administer'. See https://support.optimizely.com/hc/en-us/articles/4413200626829-Access-rights and https://support.optimizely.com/hc/en-us/articles/4413200676621-Set-access-rights-from-edit-view. If the former, that granularity doesn't exist in the system. Admin mode is all or nothing basically.
2. Admin mode is all or nothing. But if the user should only be allowed to change the passwords, then I would create a custom view for that and then don't grant them access to admin mode or to edit content.
I also think you've misunderstood what virtual roles are, this is the key concept ;"these are roles where the membership criteria is determined at runtime.". You don't control what permissions the virtual role role has in runtime.
We are looking at restricting access for certain types of users within our Optimizely system. I have reviewed this documentation but have been unable to figure out how to handle a couple of scenerios: https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/virtual-roles