1) iOS does ship with a collection of the latest versions of partner carrier profiles as of the ship-date of that iOS version, as you point out. So you can't try to do an end-run around the AT&T profile restrictions by, say, doing a complete restore of iOS on your phone, followed by activation of the phone using a SIM that isn't from a carrier partner in order to cause it to use the generic carrier profile (for example, T-Mobile U.S.), followed by SIM-swapping back to your AT&T SIM. The AT&T profile is lurking in there, ready to be consulted when you switch SIMs, on every iPhone.
2) This is still a proprietary Apple scheme for pushing APNs for carriers (carrier profiles are plists), and not some universal standard for doing carrier programming updates "over the air." Carriers can build and submit their carrier profiles to Apple, but Apple then centrally distributes the profile updates from their own servers. And AFAIK, if you're a carrier, Apple is not going to host a carrier profile for you unless you have some formal relationship with Apple (become a "supported" carrier).