I’m not sure, but my reading is that it’s safer to include it if content is not meant for children.
Please can you quote the context? I can’t see this on the Manual page for GDPR.
There is an exception for this case, see this post.
I’m not sure. The safest option seems to be to export everything that we have, and necessarily that will not always be easy to digest (e.g. should IP addresses include an explanation of the technology and meaning behind them?). So long as requests for access are met in a timely manner then the subscriber does not need direct access to export them themselves. Clearly that would be more convenient, but also raises potential security questions about the identity of the subscriber (e.g. “appropriate security measures in relation to the sensitivity of the data”).
What about them? 
My understanding is that what you described, in combination with consistent use of double opt-in and adequate server security, covers the bases as far as GDPR compliance is concerned.