For the first point, you can fully customize the HTML and CSS with the classic experience of Universal Login; in order to perform a full customization you’ll need to use something other than Lock given Lock already provides a fixed user interface.
That something other is indeed Auth0.js library and you’ll find a universal login template that uses it (as mentioned at Customize Classic Universal Login Pages).
It seems the source of the confusion is that both Lock and Auth0.js web libraries can be used to implement embedded login as well as the classic experience of universal login. In conclusion, you may need to ignore some of the warning in the reference documentation as they may not apply for your usage of the libraries.
For the second point, you’re correct that if you use custom domains and have all applications under the same parent domain then the most common issues associated with embedded authentication do not apply. However, you are still left with an approach that forces every single application to handle user credentials so the general recommendation would always be to use universal login (even if a fully customized interface is required).