1: Yes. Macs support two basic account types: Administrator and Standard. Every Mac will create an Admin account when first powered on. However, you can create additional accounts (Apple menu > System Settings... > Users and Groups) as Standard accounts. If you want your end users to be standard users, then when you initially setup the Mac, create a unified admin account that you know the credentials for. Then create a second Standard account for your user. Please note, the ARM based Macs require an admin to be logged in to apply OS updates. If you embrace the Standard user account, your end users will not be able to apply updates. You will need to physically go to each device, login as the local admin, and then run the updates. Also, Standard users cannot pause or resume print queues. Since you are a design studio, you may have a fancy printer or print server. If the printer ever has an issue, and the print queue on the Mac is paused, you will need to drop in to authorize the resume (this can be overcome by adding everyone to the lpadmin group using dseditgroup).
Now, an expanded answer is that macOS also supports cloud accounts. This can included Apple IDs, Managed Apple IDs, Microsoft IDs, Google IDs, and most other identity providers (ping, octa, etc.). However, for this to work, you will need an MDM that supports a login window shim. One example is Jamf Connect via Jamf Pro. In this example, the login window will be the Microsoft cloud login window, allowing the user to use their O365 ID to log into the Mac. Jamf Connect now includes a temp admin feature to allow Standard users to temporarily promote themselves to admin. This is a more advances setup but one that can provide exactly what you are looking for. Apple is working on Platform SSO, but that will require an MDM to enable.
2: Apple platform management is performed via an MDM. There are many MDMs on the market. Some to investigate are Jamf Pro, Mosyle, Intune (Microsoft), and Apple Business Essentials (this is really only good for incredibly simple deployments - you likely use Adobe products... don't try to user Business Essentials). But before we talk MDM, you should take a look at Apple Business Manager (Apple Business Manager and Apple Business Essentials are two different things). Apple Business Manager is a free service provided by Apple that is the foundation stone for fleet management. It provide chain of custody for hard assets (Macs, iPads, etc.), soft assets (apps and books available in Apple's online stores), and identity federation for the creation of Managed Apple IDs. Apple Business Essentials is Apple's MDM that replaced Profile Manager (included with Server.app). ABM is free. ABE costs money just like other MDMs. Sign up for ABM here.
Remember, deploying an MDM makes managing the Apple Platform easy. Deploying an MDM is hard. Consider reaching out to a consultant or managed service provider to rapidly and properly deploy your MDM.
3: I discourage the use of traditional file servers. Look at FileProvider services like Microsoft or Dropbox. However, if you are adamant in the use of the old Mac Pro as a file server, DO NOT, DO NOT open up the SMB port to the Internet (port forwarding). That will be a huge mistake. Setup a VPN and then your remote users will perform a two step process of connecting to the server. Step 1: connect to the VPN. Step 2: Connect to the file server over the VPN connection. This is the safest way to provide access to LAN based resources. If you simply do an SMB port forward, then malicious port scanners will find your server and hammer it with login attempts. For the VPN to be most effective, you should have a static public IP address. Check your Firewall to see what type of VPNs it supports. macOS supports L2TP, Cisco, and IKEv2 natively. Many firewall vendors have their own apps for SSL based VPNs. And there is always VPN Tracker that supports most everything. Please note, SMB performance over a VPN is notoriously crappy. Again, I encourage moving on from traditional file services and embracing cloud document storage. Yes, there are monthly fees. Yes, graphics departments have larger data sets. But there is flexibility and security.
Hope this is helpful.
