All very correct. To specifically state it: $_ is a global variable, and is shared between all packages.
This means that if you use it, you should use local() to be polite to your callers, and you should be careful to insulate yourself from code that may alter it.
This can be a difficult proposition if you didn't write the code yourself (and sometimes even if you did!). Generally, you have to look at each appllication of $_ and judge on a case-by-case basis whether someone else may be modifying it while you're using it.
Your best protection is to get into the habit of always localizing it yourself, so as not to step on someone else's toes, and to not trust that code you call has always been so polite.