No one can ever fake transactions out of thin air. Bitcoin is cryptography. The requirement for confirmation is due to possible double spending, which will cost far more than a VPN account to do it successfully (to cheat a 0-confirmation system).

Yes. A reliable double spend attack would require many millions of dollars worth of machines, and would be noticeable and verifiable (you could provably say "hey I just got a double spend from this account for this amount"). This means that you're unlikely to get the money in that case (depending on what the community wanted to do in response) but you could reasonably expect to know if people are issuing double spends. I don't think it is in the interest of miners (the ones who have already invested, in sum, millions in mining machines) to collude for double spends except on incredibly valuable transactions, as it would undermine the value of Bitcoin, which they are profiting from and have significant investment in.

This is a problem that can easily be dealt with if/when it arises.