This is mostly correct. The games actually get a choice about how they want to render
Most games will choose to render at 60fps, the game reports this to the OS and then the headset will know to reproject between each frame, so the game gets plenty of time to get the next actual frame ready.
Some games will do 120fps though, not sure who will pull that off voluntarily though!!!
I don't think this is a good idea, even if the database is just listening to localhost.
Say a malicious script gets uploaded to the machine, it will be able to dump the entire database without any need to seek out credentials.
MD5 hashes of emails is very common practice for Gravatar etc. - although it's fairly sucky, I'm assuming this is in the API specifically for things like showing Gravatar images.
I reported a username -> plaintext email vuln to Disqus earlier this year and they were very prompt in patching it, I wouldn't criticize them for this at all as this a very common issue across most blog comment systems.
Would be nice to change how Gravatar works, but it's fairly fundamental. I think if you want your email to be private you should probably be registering temporary ones or using the + aliases like gmail offers to avoid these kinds of hash-cracking attacks.
Another solution would be for these services to use something with a greater work factor than MD5. When a typical user can brute force MD5s at a rate of 8.5 billion per second with AMD HD7970 graphics card then it's time to use a different hashing algorithm. Something like scrypt or bcrypt with a larger work factor would make these attacks much harder and more expensive, while leaving the fundamentals of the system the same.
