The sha256 hash of the download i installed the update from from matches other installers acquired from other browsers electrum-3.3.4-setup (1).exe electrum-3.3.4-setup (2).exe (can this, has this been spoofed as far as anyone knows?)
All this tells you is that you correctly downloaded the same file. It doesn't tell you whether this file is legit electrum or fake electrum. That's why we do gpg signature verification. When you do that you are checking that the maintainer has signed the file in addition to checking that you downloaded it correctly. If you trust the maintainer ThomasV then you can trust the download.
I did not feel comfortable gpg verifying the download. I thought if i was confident i was installing from a link on the actual electrum site that should be enough, but if I install the new version to a new directory and (this part did not go as planned hence me registering here and posting this) "only" restore in the newly installed client a seed from a wallet with a smaller amt of btc as a test and it didn't disappear then i could be confident the new install was legit. (the new install apparently overwrote the previous install, and populated the "recent" wallets from the previous version automatically which i did not expect. So i got paranoid and i am here trying to decide what to do next.)
You can still gpg verify the download so I suggest doing that. That'll make your life a lot easier.
Here's a guide. You learn how to do this once it serves you every time you need to update electrum going forward. Electrum gets updates a lot so you will need this knowledge.
If I have or will DL/install compromised updates to electrum does the attacker immediately gain access to every (seed)wallet>addresses that i can toggle between under file>recently open? (so my btc in all "recent" wallets are already gone)
The wallet file is encrypted with the password you set in electrum. So the attacker gets access to your coins as soon as enter the password. If you never do that he doesn't get access to your coins although there's still the possibility that he installed other malware on your PC. It's also possible that he may get your encrypted wallet secrets and attempt to brute force your password at his convenience. So if you never entered the password you should still move your coins to a new wallet.
If yes how can i prevent the electrum client from being a central point of failure in the future for all wallets/coins stored (hot) on that device (Passwords? moving .dat out of a directory, and zip-encrypting it...??) shy of a watch only + airgapped machine, which i will get to eventually but not now.
You can't. If the wallet is malware it doesn't matter what you do you will lose your coins.
If i already installed a compromised version but not all coins across all seeds/wallets listed in recent have been swept instantly (i did not broadcast any transactions), what steps can i take to protect funds in the other "recent" hot seeds/wallets?
Reinstall the OS, download, gpg verify and install genuine electrum and then move your coins to new wallets with new autogenerated seeds. You can create a new wallet via file > new/restore, enter a unique filename and click next for the rest of the steps.
Of course any other advice/links on general opsec could be useful, but honestly if only one wallet at a time is at risk of being compromised that is a level of risk i am fine with in perpetuity.
Thank You
Learn to gpg verify the download and save yourself the headache and worry.