No, he did not: typing rm -rf / into a root shell will delete the OS and your home directory.
It is a little more complicated than that, but the complications do not really affect very much. Last time I installed Debian around 2005 the documentation encouraged me to give /home its own partition, in which case rm -rf / will not get it. But on OS X the default is to put everything in one big partition and I kind get the feeling that Linux has moved that way, too. And even if /home is on its own partition, there are many ways for the malefactor to get /home, e.g., rm -rf /home.
Yes, you both did. To a user losing / is just as bad as losing ~, because ~ is all she cares about, not her OS settings, hence why I think the idea that running as root is worse than running as an unprivileged user is silly in this context.
They are effectively the same: an unknown script executing "rm -rf ~" with an unprivileged user is going to cause as much grief as root running "rm -rf /".
I couldn't care less that the system is still up if all my data is gone.
Not to mention that it's sysadminny-types that you turn to when your OS is hosed and you want to recover data from your drive - having little or no sysadmin skills means recovery and reinstall is very much not trivial.