I'm wondering whether we should be signing the Packages file as well. There aren't probably any very dangerous attack vectors via replacing the index but I suppose there's no harm in doing that either.
One attack I can think of is modifying binary package's *DEPEND in index to trick the user into installing an additional package, perhaps one that could expose the system to a vulnerability.
Sure, why not. As long as other tools willing to support GPG signing and compression.