Yes, the scriptWitness is malleable.
While you could malleate a transaction to be larger, I'm not sure why you would. You can't change the fee that is paid by that transaction, so your malleated one would have a lower fee rate than the original, so it would most likely be rejected in favor of the original. That also means that the malleated transaction is less likely to show up in a block than the original transaction. Additionally, such malleation would make the transaction non-standard, so most nodes would discard it regardless of whether they had seen the original.
Since the original transaction and the malleated transaction have the same transaction id, the mempool will accept the first it receives, right? Will mempool compare the fee rate for transactions with the same id?
Users do not have any motivation to malleate the transaction. Just some malicious relaying node could do that. I admit that it's not a big issue in practice.