I’ve found it’s best to shoot from the hip. If they are as big as they claim (and in the US), they’re expecting to pay out the nose. Also, keep in mind that HR is separate from the development side of the house (even if they have developers conducting interviews) and they’re also likely under the gun to find good hires. All of this plays to your advantage. I think the best play is to generally shoot high and see how they roll with it. It’s also best to adopt an attitude that you’d rather walk away than take a bad job.
You can setup multiple store views as different subdomains. It’s easy to setup https://devdocs.magento.com/guides/v2.4/config-guide/multi-site/ms_websites.html
Your SEO information should be configurable on a storeview level, you can change scope in the admin for most places - have them to change to the website or storeview and customize it there https://docs.magento.com/user-guide/configuration/scope-change.html
Mac’s are probably a bit tamer for the uninitiated, but historically I like to run Linux and would enthusiastically endorse Fedora for a Magento developer. But these days, I hear that the M1 Pro makes for a phenomenal dev laptop that really can’t be matched in the x86 realm, probably the right way to go.
You’ll most likely want something in front of varnish to terminate TLS/SSL. A CDN can offer this, but for e-commerce it’s best to terminate on the local network of the server. A reverse-proxy that terminates SSL and proxies the HTTP request to varnish is the usual solution. Traefik is a great choice, and can even generate that cert with Let’s Encrypt. You can also wire this up directly with NGNIX, or indirectly with Kubernetes with an Ingress Controller. If you’re doing this yourself, consider Terraform and a cloud K8S provider so you can properly scale and reproduce your setup.
Magento doesn’t store passwords directly, it stores a hash. The same is probably true for WooCommerce. You wouldn’t be able to re-hash the password but you may be able to tweak Woo’s hashing logic to match Magento’s. I would avoid this though, password resets aren’t very burdensome and even give you an excuse to engage with customers. The rest you can probably migrate.