1. For organizing third-party access, this is a very convenient solution. + with good loads, you will not have any problems when moving the base to a separate piece of iron.
2. What structure is expected? (I have been working with MongoDB for a year now, almost the entire project, with proper organization of the database, can be transferred to it and get a performance gain). If you are interested - in a personal message.
3. If on 1 server - a separate user to change + 1 with rights to select for third-party users. And no problem. If you separate the base and logic: a firewall with access from 1 IP to 1 port. Handling third-party requests - also from this SP. (tobish without direct access to the database itself)

Alternatively, instead of MySQL, you can use CouchDB, from the pros, for example, it already has a REST API for your API requests, only security (authentication, access levels) will have to be worked on.

1. Yes, if third-party access is planned. Then it will be easier.
2. Well, only if you are chasing fashion like "MySQL is no longer a cake." And so there is a wonderful thing - HandlerSocket. Use it, make a denormalized database right away, queries for PK, no jOINs and you will be happy)
3. Well, the only difficulty is that you need to write protection. HS accepts requests without access checking, so you only need to allow them from the local machine. And implement the entire protection system in php.
PS I would advise you to use REST architecture for database access in php.

yes, moving it to a separate service is very cool and MVC-shno. I have a link on this topic saved tutorials.jenkov.com/soa/soa.html dig on the site.
that is, you will make a full-fledged website-service. which authorizes, accepts the request, selects data from the store and spits it out.
it is convenient to drive data in json
regarding selections, there are two options - do named query=SelectCategory¶ms[id]=2 or make your own query language, such as developer.yahoo.com/yql/