I have answers for just 2 of the questions, but maybe some other people will guide more with complete answers.
Question 3. You can host any WCF service implementation with a Windows Service (meaning you can self-host any WCF service). Quote from MSDN:
Because it incorporates a WCF implementation, WCF Data Services support self-hosting a data service as a WCF service. A service can be self-hosted in any .NET Framework application, such as a console application. The DataServiceHost class, which inherits from WebServiceHost, is used to instantiate the data service at a specific address. http://msdn.microsoft.com/en-us/library/cc668805.aspx
Question 4. Any service/application you develop is as secure you code it, host it or use it. And your service is as unsecure as your most unsecure component. A Data Service can be made secure if properly implemented and configurated. You can also use secured bindings and so on. MSDN is again your friend with guideliness for Data Service security http://msdn.microsoft.com/en-us/library/dd728284.aspx
But keep in mind that IIS allows you more configurations for many things, including security, than self-hosting (using Windows Service).