I don't know all answers on the top of my head, so I would have to read the documentation. But then again, so can you...
The main reason I post is that you seem to be looking into using CDC as an auditing solution. That is not the prime purpose of CDC. In fact, as far as I know, CDC does not track which user that did the change. But if the table has an auditing column - and you can trust that that column is updated in case of an UPDATE, you have the auditing information. Given that it is possible to update a row without changing an auditing column, my personal feeling is that this is not a satisfactory solution.
When it comes to your questions: Yes, CDC works with simple recovery as I recall, but it can lead to log growth, since data cannot be cleared until CDC as processed it. A for the SELECT, I guess that plain SELECT permissions should do. But it was quite a while since I worked with CDC.