tokenTransferNonceMUST return a monotonically increasing nonce scoped to(asset, to).
This follows the pattern of ERC-2612 instead of the pattern of ERC-3009. Have you read the rationale behind ERC-3009? If you allow the nonce to be a random number, it allows using the nonce to encode intent information, which is quite useful.
Traditional off-chain authorization standards like EIP-3009 require support from the token contract itself. Many legacy and new tokens do not implement these, limiting gasless usability.
This is a good point. But it is easier to get users to use your token than to get them to use your wallet.
uint256 value
This field can be reused for ERC-721 support. You don’t need to have a separate standard for NFTs.
bytes calldata signature
In the Solidity ABI this signature parameter uses 5 words (offset, size, v, r, s). If you changed this to uint8 v, bytes32 r, bytes32 s then it would be 3 words. If you use ERC-2098 or ERC-8111 it would be 2 words. Perhaps you want to allow for non-ECDSA signatures. If so, you can explain this in your Rationale.