IMHO, the task of a request is to accept incoming data (POST / GET / COOKIE and other headers), initiate the launch of the desired controller method, and return the request with the result. Accordingly, all logic (validation, queries to the database, etc.) should be in the controller, but not the request. Request is a utility class, and it makes sense to split it into subclasses if various options for processing an incoming request are possible, but not to adapt to the business logic in any way.

Writing classes for req and res is overengineering. Validation is enough, it can be placed either in the controller or in the model, depending on your preferences.

In my opinion, it makes no sense, the request should only describe the HTTP logic and should not know anything about the specifics of the data transmitted in it. The request must be validated by the validator after routing.

And you can also create BaseRequest and BaseResponse for greater importance and write something in common there, and then inherit Request and Response from them, and so on. It is also possible to compose some other intermediary class to connect these objects, and for greater importance, make all the parameters that the Request can receive objects, and already write validation in them for each. After all, this is OOP, right? ;-)

The problem is that polymorphism will be clumsy there. To determine which class instance to instantiate, you must first parse the contents of the request, which you design should be done in one of the child classes.
Classes that are responsible for processing different types of requests should be separate, but reception and analysis, IMHO - multiplexer + filter = 1, 2 classes (which do not depend on the contents of the package).

In general, there is something reasonable moments. But in itself, typing a post is not yet an object, and with validation, the business logic is drawn to the form. True, there are cases when there are get-parameters, but you don’t really need to validate them (some view parameters or say ?mode=debug), then there will be no form. In general, it can get confusing. I think all that is needed is the validation of the presence of the necessary, the absence of unnecessary post parameters, this is the method of the base Request, and there is no need for successors.
Have you looked at how it is implemented in popular frameworks?

By the way, I'm thinking about it right now. This has its advantages:
* no need to validate data in the controller;
* in turn, the controller will acquire an interface.
But the complexity, of course, increases significantly. For example, when we do not know in advance the complete list of data that we need, and this list itself will depend on the data that is in the request.