1. The permissions the database user has completely depends on what permissions he was given in MySQL. That has nothing at all to do with MODx.
2. Yes, with the caution that it is possible to write snippets and plugins with PHP code that itself is not secure. For that reason, Evo has the option of preventing Manager users from using the @EVAL feature of TVs.
1. Not all, but it depends on what some of your snippets or plugins are doing. Minimum should probably be:
SELECT, INSERT, UPDATE, DELETE for data, CREATE, ALTER, INDEX, DROP for tables, and possibly CREATE TEMPORARY TABLES.
2. We certainly expect so! You should subscribe to the notices newsletter just in case, though. http://forums.modx.com/thread/251/security-notice-subscription-options#dis-post-1649