apex.server.process can be invoked from client-side Javascript to read/write data on the server. The pName parameter to this API is The name of the PL/SQL on-demand page or application process to call. Parameters to this process are passed using the apex_application.g_xNN package variables. This process typically returns a JSON object back to the client. For DML operations, this is typically a simple success/failure code/message. When data needs to be retrieved, it tends to be a more complex object. Putting all this code in the APEX application/page process (AJAX callback) is considered poor practice.
I guess the only option is to create a packaged or standalone stored procedure and use that as the application/page process with the restriction that it should have exactly zero parameters, instead all IN and OUT parameters are passed using APEX session state/package variables.
Something like this.
Am I on the right track?