1) If all output will happen in that one template, I don’t see why you can’t do everything in the template. How it’s organized is really up to you.
2) If the table is in the WordPress database, it certainly simplifies things, you won’t have to create a connection to another database.
3) It’s up to you to validate user input. If you expect an integer, make sure that’s what you have. PHP has a number of functions to assist with this, and WordPress has some functions to assist with this as well. Your queries should use prepare in any case to prevent SQL injection.
You also need to secure output, which WordPress can help you with as well.