Wallet.dat is the only one that will enable people to take your coins.
I'm not so sure about this. I think that there may sometimes be BDB-related files there which could leak keys.
debug.log can probably be used to figure out which transactions are yours.