Correct and correct
You will need to associate the cooldown with a specific user. Users do need an account to post, right?
Easier to code and faster for the code to run. Plus, there is a 10MB limit on file (JSON), but not a set limit that you will realistically run into (MySQL)
Well the cooldown will help prevent spam
With a free subdomain? No. with a custom domain? Yes:
Even if you just host a static single-site page, you are still vulnerable to DDoS attacks. the fact that the site is multi-page, dynamic, etc does not increase/reduce your risk of getting attacked.
Up to you.
JS can’t communicate with PHP without creating a hit. JS is on the client-side, and it does not run until AFTER the PHP code does.