Assuming you are talking about the Ubuntu box, that is correct. The file on the CIFS mount on the Ubuntu box shows as root:root. The same files on the TrueNAS Core server show up as media:media (or whatever the username you created to connect to the Samba server is).
Wrong. Assuming it’s the same Ubuntu install. If you mount it as root and the group ownership is root, then the Plex user will still view the files on the Ubuntu box as having root:root ownership. If plex user creates new files (assuming the Other group has write permissions, so something like 777 or 776), then the new files over on the Ubuntu box will appear as owned by plex, but on TrueNAS core, they will still show up as media:media.
But if you unmount and remount the CIFS share, everything will change back to the local Linux user you mount the CIFS share as, so all the plex user’s files will be shown as root:root on Ubuntu, but still be media:media on TrueNAS. I am assuming that Plex can read the files over on the CIFS mount because the local mount permission for O group is set to read-permissible (774 / 776 / 777).
The CIFS client will mount a SMB share using a local user, be it root or something else, but the SMB server will convert whatever UID and GID that the client is seeing, to the UID and GID of the SMB user local to the server.
So the files on the server are always secure, as long as you don’t share your SMB account and password with other people. On the Ubuntu server however, the mount itself is only as secure as you make it to be. I would personally mount the CIFS share under the user running the Plex server, and if write permissions are not needed, I would just set the mount options to 400 (read-only for plex) or 500 (read and execute only for plex) if it needs exec rights (not likely for video and images).