Sure, but again, this only applies to someone who has never connected before and who doesn't know anyone on the network AND who has downloaded a version of the software that has no valid checkpoints in it.
Yes, this is a good description of a syncing node. The checkpoints thing is a mitigation, but I maintain that once you start using checkpoints for security, all you end up with is a centralised service with redundancy, not a decentralised or trustless system, which are they key tenants of cryptocurrency.
edit: simple thought experiment: if checkpoints are so great, why not use them for every single block and have a 100% attack resilient system?