It's quite useful, but -like just about everything- not necessary.

Run it in what miniupnpd calls "secure mode" (which prevents clients from adding rules for IPs they can't talk from), put the daemons's rules after your manually-managed ones and -because of today's world of NAT hole-punching and "just tunnel it over HTTPS, it's the universal firewall bypass protocol" techniques- you're exactly as secure as if you had it off.

You'd need to run a daemon like miniupnpd to enable UPnP, however I'd avoid it if you can, as it can be a significant security risk.

Not necessarily at all and a huge security risk.