Let users pick their own username, forbid already existing and recently deleted users, laugh at anybody foolish enough to insist on their forename as they are constantly mistaken for somebody else with the same forename.
Since they are picking the username, they are solely responsible for its perceived meaning if any. If you're dealing with kids I suppose you might thus want to have oversight/ veto.
If absolutely necessary also forbid usernames which conflict with system identifiers, but prefer where possible to simply separate the two namespaces altogether so that it's impossible for either the system or the users to confuse a person with a machine, or an ordinary user with an administrator or other higher power.
While working at a university I selected the username "ruth" (a now rare word meaning roughly "remorse" and the source of the still common word "ruthless") and the associated email address was assigned to me automatically. Over the years I discovered that humans who can't use their email client properly are about as common as automatic systems that are too dumb to know the difference between a username and a person's real name. I received confidential correspondence, invitations, enquiries, bounces, and numerous other emails that should have been sent to (and in some cases, explicitly were addressed to) members of staff with the forename "Ruth". Nobody showed any interest in either fixing the automated systems or retraining the staff, but they did eventually institute a system in which they gave everybody an email address of the form Firstname.Lastname@University. This system had all the flaws you have mentioned above, it fixed nothing, but most likely it made some barely computer literate new VC feel that they could email anybody by guessing at the correct address and then probably blaming "those IT people" when their confidential union settlement proposal was mistakenly sent to a janitor or whatever.