For question 5, this was covered in the Slack Q&A in #device-management-lounge. The answer from Jesse E (Apple) is pasted below for posterity (not sure how long the Slack instance will stay around):
Because the local account exists on the Mac already, the user will still be able to login to this local account even though the account has been disabled in the IdP. The last password that synced remains. In a scenario where the user should no longer be able to login to the device, other methods should be used such as the device lock MDM command. Think of this like a local password that just happens to get automatically updated/kept in sync. But it's still a local password and therefore still behaves exactly as any other local password would — since that's what it is. So in those cases you're talking about, you'll want to handle it separately.