Maybe, as a first shot, they decided to favour near-instant implementation over usability by simply setting the price for an existing product to $0 and use the existing checkout flow.
Maybe, but it would have been equally as instant to just set all domains as "WhoisGuard purchased until the year 3000" in the database, and much more user-friendly.
If you're registering as a business rather than an individual it looks dodgy to have a whois privacy record instead of your business details. Not necessarily a deal breaker but definitely a single red flag
Because whois, along with the many people who scrape it, provide a public record of my domain ownership. With privacy protection it is a lot harder to prove ownership if the registrar makes a balls up.