That is auto-triggered by software detection at a device level isn't it?

I tried spoofing GPS with Niantic's Ingress game, just about the second time I played, and the spoofing apps relied on the fake location flag in the dev settings - of course Niantic checked to see if that was set and refuse to work if it was [until the system was rebooted, with the flag disabled, AFAICT]. Haven't tried with PoGo as I'm more interested in playing it [with my kids, honest!] than working out how it works.

Not necessarily. At least on Android, it is rather simple to just use Xposed Framework to basically "mock syscalls".

No clear answer to this as far as anyone can tell. From the evidence it definitely looks like there's a server component, though.