I won't address the rest, but:
> b) I see no evidence that upstream arranged to ship any notice in their binaries, so I don't see how it's reasonable to expect downstreams to do it
Downstream is not in compliance. The fact that upstream has made that compliance hard/impossible is not relevant to the fact that downstream is infringing.
And it's not hard at all. You just include a text file with a third party software notice that has all the licenses, alongside the binary. All major companies shipping F/OSS in their products somehow manage to do this just fine (I have personally done so for three different products at two different companies).
It's so normal and common that your car's infotainment screen has a page for it, and it causes the guy who built a useful open source project to get hate mail, because his email address is listed there.