I can send coins to all of those addresses, and to 3rd party observer that will look like balances on different unrelated addresses.
If I'm correct, are there any flaws or security risks in this?
Not necessarily.
P2PKH (legacy) and P2WPKH (bech32) addresses contain the same data, the hash160 of your public key. So anyone scanning the blockchain will immediately know that if a P2PKH output and a P2WPKH output have the same hash160, then the owner is the same person.
Regarding security risks, there are none.
And if I'm importing private key to some kind of wallet software, how wallet determines which address to scan on blockchain and which balance to consider as wallet's balance?
It doesn't know. Currently, if you import a WIF format private key (as is the current standard), most wallets will interpret it as the private key for a P2PKH address. Some wallets may have settings that let you tell it to make a P2WPKH or P2SH-P2WPKH address, but there is no standard for that. It is currently up to the implementations.
However the creator of the bech32 standard is currently working on a similar encoding for private keys. This encoding would specify the type of witness output that a private key is for so wallets can use that to determine what address to create and scan for.