John, thanks for the really good info. As I had no knowledge of the "pre-capabilities" stuff and as I am an ex-programmer it makes much more sense now.
Given the understanding that you have shared I think I can partially answer the first of your questions (though certainly not the second).
You have certainly answered most of my headache.
Ok, take the example that I gave - a "super student" that you are creating. Say you duplicate "student" to create the new role. You set capabilities as you see them needing to work, but it doesn't fix things the way you wanted. Maybe, where you wanted a "teacher like" power you still get a "student like" power. It could well be that the awkward module is still Old School and is checking isStudent() and is finding that it is indeed a student. By changing the new role to be moodle/legacy:teacher the awkward module checks isStudent() and gets a "nope" back. It checks isTeacher() and gets "yes indeed". So it now treats that user as a teacher and you get what you wanted (maybe!!).
(of course, another Old School module could need to find isStudent() as true... but that's another problem :D )
That would certainly be one reason to have a legacy role changeable.
What happens if you set the legacy role to legacy:none or legacy:authenticated user.... well it probably breaks some modules ;)
As I said, you've told me what I needed to know. Where there was once "one" thing to test and one could have done something like a select statement where you test which role they fell into... now there are hundreds of things to test. More granular control. Maybe good, maybe bad, but certainly I can get my head around the mechanism.
For now I can leave students as legacy:student and so on. I only need to worry about them when I create custom roles, at which point I consider "what is this closest to?"
Thanks so much for taking the time to teach me the history.