Everything is now hooked up (the power, the ESP8266 and NRF modules) and working fine. I've worked on the GUI to make it clear and responsive: when an item is pressed on the touchscreen, it remains 'on' and highlighted until it is pressed again to cancel even after power cycling (everything is stored in EEPROM). Buttons at the bottom access additional screens (more grocery items and the barcode scanning facility).

I've settled on a list app that will be used to view and cross off items when out shopping: Todoist. It has a nice elegant look and feel, and a straightforward API with a couple of very useful features. One of these is the ability to set a user defined unique ID when adding a particular item to the list - this means that it is possible to delete that item without needing to know the ID assigned to it by the app.

The Todoist API requires the use of HTTPS, but the ESP8266 cannot handle SSL, so everything is relayed via ThingSpeak's ThingHTTP app. The ESP8266 makes a GET request to ThingHTTP with plain unsecured HTTP with the item and ID, and then ThingHTTP makes a POST request to Todoist with HTTPS. This is obviously not ideal, security wise, but until the ESP32 comes along I'll just have to live with the possibility that unit 61398 are monitoring my cheese consumption.