As every other login form does. In this situation basic authentication is no different from every other authentication mechanism that uses passwords...
Not necessarily, you can set up TLS client auth with signed certificates, generated locally, that the server never receives the private key of. The server can validate and authenticate without knowledge of the secret, and cannot impersonate the user.
The problem with TLS client certs, of course, is the fact you need a method of signing CSR's, and the terrible UX modern browsers have for client auth, especially on mobile.
Yes in theory you can but it's a pain, a certificate needs to be installed in the browser, the user gets a popup every time saying that you want to use a certificate, when the user changes computer either needs to backup the certificate or install it again, etc. My bank did that in the past and they no longer support that, instead they opted for a classical multiple factor authentication: password + authorize the access with your phone.
