You can basically do two things:
Use the semi-official AS3 API (based on the old rest API), and Facebook Connect. This can save you some time, although it's cumbersome (methods are weird, examples seldom work, Facebook Connect breaks randomly, testing locally is a bitch).
Use the new Graph API, and OAuth for permissions. Technically this is the best, and OAuth is a lot better (meaning it's not as crazy) than the old Facebook Connect but because it's new, there's no definitive AS3 API for it.
I would personally recommend option 2 - it's a much more elegant solution. However, it means you may have to dig in, building your own AS3 layer to the Graph API (not a huge issue really - the API is simple) or using some third-party (potentially unpolished/incomplete) one, and understanding OAuth if you're never used it.
The good thing about building your own framework is that you'd be able to get a better understanding of how Graph/OAuth work so you could use it in the future. I know this may sound weird, but it's so common that Flash websites/apps have to use the Facebook API that having a good understanding of it, and a Facebook framework you have low-level control, is a great asset. I've had to use third-party AS3 APIs with Facebook Connect in the past and it was hell; I've recently started building my own, for my own purposes (so it doesn't cover everything the API can do), and it's a much saner solution.
Regarding question 3 - the advanced permissions can be requested at any time - either when the user first allows the application to access his/her data, or later when you need to use some advanced feature like publishing to their stream. You can also check whether the user has already granted permissions for that.
Also, for your additional question - regardless of what you build (whether it's a separate page, an application, or a tab) you always need an 'application' created. Unless you're using the public API (like reading a public page stream); then it's only the Graph API with no authentication and as such, no App key.