[1] Sending bounces to the author is administratively simpler and was previously accomplished by keeping the original envelope sender.
Using the SRS protocol will fail the SPF Alignment check on DMARC records by design.
[3] With respect to VERP, the local part (alice) is moved after her domain name (example.org), further adding a prefix (SRS0), a hash (HHH), and a timestamp (TT).
This reflects an operational difference: Eventual bounces back to a VERP address are handled within the rewriting domain, and forged messages can at most unsubscribe some users, a kind of abuse that hasn't seen significant exploits in the last decades.
If example.net has to forward the message in turn, it can spare adding another timestamp and repeating the original local part (alice).
The i= tag of a DKIM-Signature may be a good place, as such choice considerably improves the security, and this technique has been observed.
[6] Historically, all mail transfer agents (MTAs) added their host name to the reverse path.
The MDA transforms the reverse path into the known Return-Path header field: SMTP uses MX records for its forward routing.
One special case in RFC 1123 are gateways from or to other networks like UUCP and NetNews, where the first sending MTA cannot reach the final receiver directly with TCP.
Note that all current forgery detection methods require the mailbox owner to supply information for them to work.
Failing to supply the criteria should not make any bounce message classifiable as backscatter, although some people mistakenly think it should.