My understanding is that the config is available via localhost only. It most instances it does not need to be disabled. I think the hope is that it will be left enabled in production, not disabled.
Excellent. I'm really excited about Caddy 2. We've been using Caddy 1 to server all our main sites over https and simply for the last 4 years. I moved away from Apache and have never ever looked back.