It sounds like I would do that by specifying:
%updatepath%/%file%
As the only Download site?
Yes.
Would I mark that as "both server & update site", "Just a server site", or "Just an update site"?
Whichever works best for you. If all the files will be in a single folder, then set "Both server & update site".
And that would be where both the *.wys and *.wyu files are stored (So I assume I'd use "both server & update.." above?)
Yes.
Additional Question: I assume that unless the .wyp file is generated new for each project, it would be possible for someone with rudimentary skills to now force an update from an update location that isn't really authorized for them by executing wyupdate -server "url-to-newer-version" unless the newer version was generated from a completely different .wyp (which has a hash-key or some such to avoid cross-updates between products)?
Use update signing to prevent this.
And I am also still under the impression that there isn't any way to create .wyp from the command line?
Not currently.
Product A 1.x could potentially update using Product A 2.x updates if wyupdate is forced to update from the product A 2.x URL?
If you change the GUID and the Update Signing key, then no.