Q1: With "Encrypt connection" you have encryption in-transit. When a client first attempts a connection to SQL Server / SQL Azure, it sends an initial connection request. Consider this a "pre-pre-connection" request. At this point the client does not know if SSL/Encryption is required and waits an answer from SQL Server/SQL Azure to determine if SSL is indeed required throughout the session (not just the login sequence, the entire connection session). A bit is set on the response indicating so. Then the client library disconnects and reconnects armed with this information. When you set "Encrypt connection" setting you avoid the "pre-pre-connection", you are preventing any proxy from turning off the encryption bit on the client side of the proxy, this way attacks like man-in-the-middle attack are avoided.
Q2: About the "Trust server certificate" uncheck it to force verification of the server certificate use on the in-transit encryption. This is explained here.
Q3: Configure Transparent Data Encryption on your local database to protect the data at rest on your local server. Azure SQL has TDE enabled by default when an Azure SQL Database is created.
Q4: On this URL you will find diagram for TDE. On this other article you will find images on how TLS is used for in-transit encryption and more images explaining TDE. Hope this helps.