1. If a user is able to view the certificate then they are able to download it. The email settings do not affect this.
2. The certificate behaves like other activities. If you change the requirements then a user who used to be able to view isn't necessarily able to now. That being said - they may have already downloaded it so will have a digital copy of the PDF.
3. Grades are dynamic and are calculated every time the user downloads the PDF.
4. Yes, it is entirely possible the admin can see that there are 100 issued certificates but that does not mean the users will be able to view the activity again to re-download it if the settings have changed.
5. Yes, re-creating it will work, but again, if you change the requirements then that also stops people from re-downloading it.
6. The certificate does not contain any logic of its own to work out whether or not a user can view it. So, whatever you set in 'Restrict access' *should* also be adhered to when emailing the PDF.
Side note - there was a bug where the cron was continually generating duplicate rows in the issue table. This has been fixed so please upgrade to the latest version (see https://github.com/markn86/moodle-mod_customcert/issues/111 for the initial bug report).
Hope this answers everything.