Imagine how hard it would have been to untangle cross-site security if he had followed that scheme. As it is, we already have to have arbitrary restrictions on where in the domain hierarchy you can root things like cookies (e.g. if you're on www.example.com you can set cookies on example.com, but if you're on example.co.uk you can't set them on co.uk)

No worse than it is today, really. Just have a pubprefix instead of a pubsuffix list.

Yes, now it is too late, since gTLDs have been rolled out in such a haphazard way. Right of first refusal on gTLDs should have been granted to the owner of the most highly trafficked domain (between .com, .org, .net, etc.), or worst case, been auctioned off between parties who already owned that domain on one of the TLDs. That would have meant the primary owner of a gTLD like 'google' would be google.com, instead of a random domain squatter.

Right of first refusal WAS given to trademark holders. .google is owned by Google, not by some random domain squatter (whatever gave you that idea?). Trademark vetting is part of the ICANN application process for a new gTLD. No one else other than Google would've been allowed to have the .google gTLD. There are plenty of brand name gTLDs that were never delegated simply because that company didn't want it, and no one else could have it.