Assuming you do not do stupid things, and use properly the relevant API, an AJAX login form can be as secure as the “core” login form.
The way you transfer the data is not very important by itself. Even HTTP, although people and google will claim as being insecure, can probably be secure enough with 2FA, one time passwords, or just use your own cellular connection instead of coffee shop/work WiFi/network. In any case this is up to the site’s owner to decide.
As for point 3, wp_signon is the right one and from there all the authentication and setting of cookies should be done.
One thing to keep in mind when doing AJAX, is that a successful login will not by itself reflect the new status in the UI without some extra work, and the easiest path is probably to just refresh the page which makes the whole AJAX idea much less appealing.
Another obstacle you will face is error reporting, like user/password mismatch, you will need to make a way to transfer the login errors to the front-end and make it in a generic enough way to let other login related plugins to add their own errors.
If it sounds like I am against login via AJAX, I guess I am, but this is just a personal opinion, there is nothing technically impossible or insecure about it.