[SalesForce] REST API Authentication Options for backend service

Answering your questions in order:

• In the interactive web server/user-agent flows, the user submits their credentials directly to Salesforce, and the app receives the short-lived access token and, optionally, a long-lived refresh token. The refresh token is scoped to that application, and may be revoked by the user or an admin at any time, without any impact on other applications. The admin can even set policy for refresh tokens, choosing to invalidate them after some period of inactivity etc. This is not true of username/password - the user shares their Salesforce credentials with the application. If, at a later time, the user decides that they do not trust that app, they needs to change their password at Salesforce, and update any other apps that might be holding the username and password.
• The app is responsible for safely handling and, possibly, storing those credentials, which have much wider scope than the refresh token. It's not that the username/password flow is less secure than the interactive flows, it's that the responsibilities of the app are much greater, and the consequences, if the app does not fulfill those responsibilities, more severe.
• They are not sent as URL parameters, but posted as application/x-www-form-urlencoded data - see this article.

I would advise you to consider one of the interactive flows, and store the refresh token, or even JWT Bearer Token flow, where the app creates a signed token, rather than username-password, which should be considered a last resort, when no other option is available.

You need to pass in a Session ID that has API access. You can get this Session ID any way you want, including SOAP login() (see Setup > Develop > API for the WSDL files), SAML authentication via Single-Sign On (SSO), the Session ID from a Workflow Outbound Message, or any of the OAuth flows (Web Server, Client, or Username-Password). You provide the Session ID through the SessionHeader provided by the WSDL.

You'll want to check the appropriate documentation for your chosen method of logging in. The SOAP login() and the OAuth Username-Password flows require directly handling the username and password, while the other methods handle the login through other means, such as logging in through a WebForm.