I've had the following answers from Apple:
If I do 1, does that turn it on for the whole app?
Yes. It becomes the default data protection for all file system objects your app creates.
Can I do 3 without doing 1?
Yes. This is useful if you want protect just one file.
You can also do 1 and 3, that is, use 1 to set the default and 3 to override that default for certain files.
Do I need to do 2 at all?
No. Once you do 1, the value ends up in your provisioning profile, which is then merged into your code signing entitlements at build time.