Regarding #2, do I understand correctly that domain whitelisting is just about which domains can be used with the current closed beta?
There may be some regulation (or suggested guidelines) about high-trust sites (like banks) that are vulnerable to phishing requiring EVs. Otherwise using the Google Safe Browsing API (as they plan on doing[1]) will probably work and is automated.
[0]https://letsencrypt.org/2015/10/29/phishing-and-malware.html
Regarding #2, do I understand correctly that domain whitelisting is just about which domains can be used with the current closed beta?