The default pds packaging takes care of SSL, but thats not a requirement, just something we try to make easy for users.

Also at:// URIs are of the form at://DID/..., and your human readable handle is bound to your DID through DNS TXT records _atproto.roshangeorge.dev, but applications all know to render that as just roshangeorge.dev. That DID points to a document that specifies where your server lives, so the HTTPS/WSS routes can live wherever you want them to.

Also likes/replies/etc on your posts go in their authors repos not yours, your intuition is correct there.

people get so up in arms when you suggest there might be a limit on how many people they can follow.

fwiw, the Knuth quote is "premature optimizations are the root of all evil"

I tend to agree with this, thats why theres canonical URIs for atproto posts that are agnostic to the hosting provider. The format is at://DID/collection/recordKey.

These are used throughout the system, for example if you look at the output of a feed generator, its just a list of these URIs

It's possible, and we've talked about it, but it would take a good amount of work (as would any 'correct' solution), so we have punted on properly solving DMs for a bit. I know Matthew has been very interested in working with us to figure something out here