yes, the second one will also match files named with any quantity of dots as long as that's the entire filename. In practice, I've never seen a file that started with "..", but I agree it's an issue.
I have, but only on a machine that's been broken into. It is, or at least used to be, common to hide malicious software inside directories called ... -- of course, these days all the l33t kiddies are using loadable kernel modules to hide their directory trees anyway, so it may not be as relevant.
--
@/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/;
map{y/X_/\n /;print}map{pop@$_}@/for@/