The users’ client should be free to select any of a plurality of nodes to grab data from. And the list of nodes should be permissionless.
They can. I'm pretty sure I've seen some of the UI that allowed the user to choose it or enter their own.
It is also possible to just run a client that doesn't rely on a remote web server for UI although unless you are also running a node you will be relying on a remote web server for the web socket and susceptible to DDoS. Some people have done the former and avoid all interruptions related to web servers and web services, although there isn't any user friendly way to do that (requires installing all of the front and back end software yourself).
Well if you make a popular client that does that, then the attackers will simply attack those full nodes as well. As I said, the only distinction between nodes which are webservers and those which are not, is a matter of choice of the designers of Steemit, busy.org, etc...
Those nodes don't have to be public at all. You can run your own, its just a p2p network like any other blockchain.
The Steem DPoS blockchain has never been down since some software bugs crashed it once or twice in the first few months.
Because afaik (I think perhaps you told me) the IP addresses of the DPoS delegate witnesses (i.e. the consensus block generating nodes) are a very tightly held secret amongst the whales. Then there are lots of whale controlled nodes on the perimeter to absorb the DDoS attacks. And the perimeter is what I assume we are talking about right now?
You're confusing block producers and regular nodes. If the bulk of the block producers are taken down, the network will grind to a halt. It is a lot harder to do that for two reasons. One is that the services they provide at the p2p layer are very limited and by design like all p2p layers somewhat difficult to attack (compared to the web service layer which requires higher level operations like "show me all of @user's posts"). The other is that the IP addresses are secret. Not even shared with each other, and most of the block producer nodes don't accept incoming connections. Whales don't really have anything to do with this, so I'm not sure where you are getting that from.
But for regular nodes (which you might run on your own computer, an exchange or other service might run, etc.), it's just a p2p network. There's never been an inability for any ordinary node to connect to the p2p network afaik (other than implementation bugs, none known to exist right now). In fact I'm not aware of any p2p network that has been successfully DoS attacked on a large scale. It is certainly a lot harder than attacking a few known web servers.
As Vitalik pointed out, the usage has been quite small. Scale and up then the fireworks are more likely, because the incentives to attack it will be much greater.
I guess it is all relative. It has something like top 3 users and transactions among all blockchains (and on occasion has been #1 in transactions). That may still be considered small in the pig picture.