Some answers to your questions:
Can these emergency proposals only be submitted when the governance canister is down? Will this be enforced in code?
We pondered this but found no viable way to enforce this that would retain an operational advantage.
I’m also curious why only node providers that participate in the NNS subnet can submit these emergency proposals. Is it totally random which node providers happen to run nodes assigned to the NNS subnet? Or is there some special requirement / privilege?
Because this way the security assumptions are the exact same as the underlying system. I.e. we’re not giving more power than it already exists, just making it more explicit and auditable.
Also, what happens when the root canister goes down?
Good question. The root canister itself is controlled by another canister, the lifeline canister, which can upgrade it (which in turn is controlled by the root canister, forming a cycle). So if the root canister is broken, it can be upgraded by the lifeline, and vice versa: if the lifeline canister is broken it can be upgraded by the root canister. The only single point of failure atm is the governance canister.