There might be specific AD attributes, which - apart from others - do not appear in the Okta user profile. Can those extra attributes be mapped and provisioned towards an app?
Solution: Yes, but you need to have a SAML 2.0 integrated app or such flow

Which is a / are best-practice(s) in a SAML 2.0 situation?
Solution: To not link your admin user from the SP via SAML with a user from Okta, if the app (SP) does not provide a SAML bypass URL

In Okta's KB articles the set of functions under the 'Provisioning' concept are referred to as CRUD. This is a concept you also meet when referring to CRUD APIs. What about its meaning here, in Okta's vision?
Solution: In 'Provisioning', CRUD stands for Create, Read, Update, Delete

Can you include / exclude users from specific Network Zones defined in Okta from both Sign On and Password policies?
Solution: Only for Password policies you have such granularity

Okta has a json representation of objects such as 'users', json schema interchanged on API calls, as an example, but what about the format of information regarding of a user going to a SCIM server for creating the user in an On Premises application?
Solution: Format is different: xml