@Danny Arroyo Thanks for reaching out, I will try to answer them according to your points.
1) Your first and second machine scenario will work provided they are under the login cached timeline (You can consider increasing it if you do not have any VPN being deployed,) third device scenario where the device has not being logged on with user and with no VPN, this would be a problem as for auth the device needs to be a LOC with the DC. Obviously this would be fixed when you start using this.
2) If the device is Hybrid AD Joined, the cred used will be Always On prem.
3) No, Hybrid Device needs to Auth the user against DC first.
4) There will be on prem user profile.
5) You need to choose one which is constant and use that instead. You can look into alternate login ID feature for reference.
6) Enable Auto enrollment to Intune, so that the device which gets to AAD via AAD joined or Hybrid AAD joined, gets auto enrolled to Intune. You can then use a dynamic device group to push out that Always on policy. Check this reference article for creating A VPN profile for hybrid
7) Only if you think the user is going to be that delayed in logging in the second time. No issues if you plan for VPN for hybrid as then this would work even in password change scenarios.
Let me know if you have some other questions.
If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.