The NixOS configuration options remain the same whether you use flakes, or not. Usually one flake is enough to configure a NixOS system, or even several systems, unless you have a good reason to split it up to multiple flakes.
Yes.
Most services under NixOS already use their own separate (often dynamic) users: see Jellyfin, Bookstack, Vaultwarden.
You can also look into NixOS containers, but again, most NixOS service modules implement basic isolation / hardening measures, and you might not need containers.