Rsync + public key authentication security

Those security concerns are right. So, to answer your first question: to make it work as you like, you should put validate_rsync in a directory where user12 has execute permission, but not write. The very same validate_rsync file should have read and execute permissions for the user, but of course not write. The issue here is that /root by default is accessible only by root user, you need a path where each directory has execute permission for user12. For example, you could copy validate_rsync to /usr/local/bin and make it owned by root. As long as user12 can execute and read, it's OK.

You don't need to protect your authorized_keys file. It would be better to force user12 to run a command by configuration, putting in sshd_config the following:

Match user user12
  ForceCommand /usr/local/bin/validate_rsync

I think this solution is better than tinkering with authorized_keys.

Also, in your validate_rsync I would quote $SSH_ORIGINAL_COMMAND (safer), and I would change your case sentence to check the validty of the command for a regular expression using grep; easier, more compact and more powerful:

echo "$SSH_ORIGINAL_COMMAND" >> /var/log/synchronize-log.log
if echo "$SSH_ORIGINAL_COMMAND" | grep -qE '[&;<>`|]'; then
  echo Rejected
elif [[ "${SSH_ORIGINAL_COMMAND:0:14}" == "rsync --server" ]]; then
  $SSH_ORIGINAL_COMMAND
else
  echo Rejected
fi

To answer your second question, as you are logging the SSH_ORIGINAL_COMMAND, you can run a test with the directories you want to consider and then examine the SSH_ORIGINAL_COMMAND you are getting. Then you could make validate_rsync to validate just that command.