I'm arguing that on an unlocked phone, this flag should be ignored, OR the software should be re-engineered to do away with the flag in the first place (customers cannot abuse service by editing APNs if the customer is provisioned correctly by the carrier on their end in the first place). It's a dumb restriction, a dumb option to give carriers, and a dumb thing to hoist on customers that bought the phone out-right or who are no longer under contract.
1) iOS does ship with a collection of the latest versions of partner carrier profiles as of the ship-date of that iOS version, as you point out. So you can't try to do an end-run around the AT&T profile restrictions by, say, doing a complete restore of iOS on your phone, followed by activation of the phone using a SIM that isn't from a carrier partner in order to cause it to use the generic carrier profile (for example, T-Mobile U.S.), followed by SIM-swapping back to your AT&T SIM. The AT&T profile is lurking in there, ready to be consulted when you switch SIMs, on every iPhone.
2) This is still a proprietary Apple scheme for pushing APNs for carriers (carrier profiles are plists), and not some universal standard for doing carrier programming updates "over the air." Carriers can build and submit their carrier profiles to Apple, but Apple then centrally distributes the profile updates from their own servers. And AFAIK, if you're a carrier, Apple is not going to host a carrier profile for you unless you have some formal relationship with Apple (become a "supported" carrier).