Nothing an electron microscope can't handle. It's not a hardened security chip. It'll cost a bit but it's probably possible for a company to do it for free to show off their services. This is how die shots usually happen.
I would guess most 32-bit microcontrollers and any SoCs capable of running Linux have some sort of boot ROM, at least for the flash programming mode (especially if it's over USB).
Pretty much, yeah. You'll usually see a boot ROM, but it will also have the ability to boot into flash so you can run your own bootloader. But the ROM is always there as a fallback and can't be destroyed.
Nothing about a mask ROM makes the data unrecoverable. It's still Memory that can be Read.
I'd be very surprised if there's not an exploit that will get the CPU to barf up the full ROM contents. That's if there isn't a more direct way to read it.
Even in the extremely unlikely case that it can't be read programmatically, you can always physically decode it with a microscope and a working eyeball.
From there, it's "just" a matter of decompiling the machine code into something readable. It's not trivial, but it can be done by a single person in a reasonable timeframe.