This is true with TLS as well, though it also requires man-in-the-middling (MITM) the connection. MITM is usually rather easy compared to stealing a private key.
Yes but it is much harder to MITM if the users are in different parts of the world.
Someone can buy a lookalike domain name using similar-looking UTF characters, send out a bunch of email spam with an URI that looks like the original, and once the user visits the webpage it instantly loads the AMP and suddently the URL is authentic. There will only be a very quick url change from the punycode url to the original that I doubt many will notice.
If I understand this right then this seems to open up some doors for some new email phishing scams.