1. emuNAND is essentially a copy of your sysNAND (internal firmware) on the SD card that is completely isolated from your sysNAND so anything you do there can't be detected on or affect your sysNAND, the main benefit of this is being able to go online in legit games on sysNAND since none of the evidence that you are a CFW user is present on the sysNAND and once you take the SD card out it's as if the console was never hacked. Although they don't even check the SD card that is something they could choose to do in the future so to be 100% safe from bans use a separate SD card for legit or just take it out. But I personally don't bother with that and I'm still 99.999999% safe.
2a. It's not the CFW itself that will get you banned, it's what you do with it. If you have installed any nsps whether they're games or homebrew, the NAND is now tainted and you'll likely get banned. Homebrew can also taint the NAND depending on what they do, you generally want to avoid anything that writes to the NAND (save managers also count here, while the saves you injected with them aren't necessarily detectable as being anything abnormal if you use hacked/modded saves especially in online games that can very much be detectable.
Also if you have gone online in a game previously and you restore an older save and then go online again they might be able to detect the mismatched data suggesting that the save was rolled back which would be impossible without a hacked console)
Just CFW use by itself and even custom sysmodules currently doesn't carry much risk of ban because Nintendo don't check for them. But in theory they could push a new firmware update that checks for those things and by the time people realized and did something to stop it, it would be too late for a lot of people as they would already be flagged or banned.
It's best just to stick to emuNAND for all your CFW stuff, and keep your sysNAND in fully original state, never even booted CFW on it, as then there is no way you could mess anything up that leads to your ban unless you accidentally went online in emuNAND.
Which is why you have stuff like
90DNS (now DNs redirection built into Atmosphere, and enabled by default so you don't actually have to change anything, this basically blocks Nintendo servers so you can still use wifi in homebrew without the console calling back to Nintendo) or Incognito (now PRODINFO blanking also built into Atmosphere, enabled via exosphere.ini, this basically anonymizes your Switch so it will still try to connect but Nintendo's servers will not be able to recognize it and will simply refuse the connection, so it can't be linked back to your sysNAND).
You only need one or the other but it's a good idea to use both as it adds an extra layer of protection if something were to go wrong. For example if Nintendo adds new domains to the list the Switch tries to call home to and people don't realize in time and you update, then DNS redirection would not help you but the Switch would still be anonymized thanks to PRODINFO blanking so you would be safe. Or vice versa if you accidentally overwrite the exosphere.ini with the default while updating Atmosphere leading to PRODINFO blanking to be disabled, the console still wouldn't be able to connect to Nintendo servers because they are blocked by the DNS redirection. It's unlikely for both things to happen at the same time, and using both doesn't hurt anything, so best to use both.
2b) I said in 2a that save managers are best avoided on sysNAND but the actual chance of getting banned by modifying saves in offline games is pretty miniscule. It's just not worth taking the chance when you could just be playing those offline games on your emuNAND and not have to worry about the risk,, however small it is. If they are offline anyway you lose nothing by playing them on emuNAND. When it comes to online games though, there was a big ban wave recently over modified saves so that is something they can and do check in online games, although I don't know if there are only specific games they check that on, and exactly what they check for, only Nintendo knows that. So you might get away with modifying a save and playing online with it, but there's too much uncertainty, I can't really say with any confidence what the risk of getting banned if you do this is, I can only say that there is a definite risk and getting banned over modified saves is something that does actually happen.
Splatoon would definitely be one of the games where Nintendo actually cares more about cheaters - it's one of the only games on the Wii U where people actually got banned for modified saves. Nintendo cares more about that in Splatoon because it's so online focused. In Smash you're generally not doing anything with a save manager other than unlocking content which you could otherwise obtain, so it might be reasonably hard for Nintendo to tell that a save is modified. And to name a couple others. For Pokemon it's really obvious if you make a Pokemon that is "illegal" that you have either modified your save or traded locally with someone that has (online trades don't allow illegal mons), if you know what you are doing that means you can probably avoid bans if you don't make any dumb mistakes. And for Mario Kart, again there's not much you can do with save editing other than unlock everything and give yourself fake 3 star ratings on every track but that isn't something Nintendo would probably be able to tell the difference between legit and not, since the data is effectively the same.
But overall, if you care about not being banned just don't use save managers on your sysNAND. If you absolutely need save editing do it on your emuNAND where you are isolated from Nintendo servers and can't do any harm and avoid using it on online games altogether.
3) Covered pretty well above already
4) You'll probably be safe, but there's no way anyone can 100% guarantee that, Nintendo could push an update tomorrow that makes it detect if CFW is running and it could take days for the check to be spotted and removed, by which point the damage is already done, some people are in a rush to update and do so without checking if the update is fully working and compatible yet.
