This is unfortunately fairly complicated when you consider every detail of how a wallet works. I'll try to answer your questions accurately without getting into a bunch of details.
1) The .dat file stores all of your "keys" for your bitcoin addresses, both public and private keys. Private keys are what are used to prove ownership of the public address and should be protected and/or secured.
2)
Does it contain access to your current wallet or just to your wallet (and BTC) at the time of the backup?
Well, that gets tricky because there are "invisible" addresses/keys stored in your wallet too (I believe the number is of these phantom addresses/keys is 100). These become visible when you click to create a new address and are also used to send "change" back into your wallet when you send coins to an address that is of an amount less than a single input to one of your addresses. Some invisible/future addresses are stored in the .dat file, but if the .dat file is too old it won't contain all of the addresses/keys that have been used.
So if a .dat backup is too old (IE, if the sum of the number of sends you made plus the number of new addresses you created is more than 100) it will not have access to all your coins. This scenario is bad, you want your backup to have access to all your keys/addresses/coins because that is the purpose of the backup. Make frequent backups and you'll be all set.
The simplified answer is yes your backup wallet will have access to all your bitcoins, even if the transaction occurred after you made the backup, and yes if someone gets an old .dat file they have access to empty you wallet!
3) Use the "encrypt wallet" feature in the Bitcoin-QT client and/or store your .dat file(s) on an encrypted TrueCrypt volume. Do that for the live/running wallet file that the client is currently using in addition to all backup wallet files.
4) I believe an encrypted wallet can be backed up the same way as an un-encrypted wallet and will create a file with a .dat extension. A password will be necessary to import that encrypted wallet though.
Well, I guess I got into some of the details. Someone let me know if I missed any other details or gave any inaccurate information.