Because then every user would need a BitLicense (or similar, for their jurisdiction). If this service (“vending machine”) could be disabled, then we can assume that most people would disable it.
Yes, but all nodes must agree on the transactions. Validation is done through the blockchain, so any individual CP server can insert a fake transaction in its own Sqlite DB, but it won’t matter (except to those using that server without any verification) because it won’t be matched/replicated to other Counterparty server instances (which get their date from the blockchain, not from other Counterparty servers).
Related to Koinify-like services, Tokenly is creating - and getting close to beta - a DIY vending machine which is a combination of Shapeshift-like and Koinify-like service.:
(Trusted) individuals would be able to voluntarily run such servers and potentially benefit from token sales (either resale or issuance).