1- When I activate using the ActivationResponse file AFTER its expiration date, I get a Failed to activate (ret=1), instead of of a DateTime Exception.
Right, that's just how we handle it. We might make a specific exception / error for expired activation response files in the future. Right now, if the activation response get's a failure then you can assume either the file is corrupt, it's expired, or it's for a different computer.
2- When I activate after changing the computer clock to a date before the ActivationResponse file expiration date, activation is still accepted (I tried backing the date from 1 day to 8 days, all with success). This is not what I expected either.
We have some date/time fraud detection. We're always adding more. Of course client-side date/time fraud detection is always limited (because by its very nature it can't contact things outside of that computer (i.e. the Internet).
So, if you want the best fraud detection then disallow offline activations altogether. Honestly, for 99% of your customers that will be the easiest option.