1 – Yes
2 – Implicit trusts by groups – group A (ABC) is given permissions to resources on XYZ, group B (XYZ) is given permissions to resources on ABC. This means the users do NOT need accounts in both domains. Permissions by group save a lot of wear and tear on the admin staff.
3 – No. That was the easy answer. Truthfully it will depend on the manner in which you connect the schemes. Firewall to firewall and the ‘NAT’ will do the work for you. Inside the firewalls, Private set 1 (i.e. 192.168.aaa) to private set 2 (i.e. 192.168.bbb) would just be a sub net adjustment. Private set 1 to private set 3 (i.e. 10.ccc.ddd) would need bidirectional NAT and careful thought about the larger overwhelming the space in the smaller. For security and addressing simplicity consider VPN – a member of A has two addresses one for his A domain and the VPN address for B.