The base descriptor file must live on root, so it is always accessible cross-origin in an expected place.
As far as claiming space you do not own, that part is a function of the platform and geofencing. The platform must determine which domains pertain to which geo areas. Google already does this in its map product - points and buildings are already associated with the domains of businesses, entities, and organizations. When a location cannot be linked, or has yet to be linked, to a domain by the platform, it reverts to the open model described in Scott Jensen’s Physical Web proposal.
As far as scoping or truncation in the entity.json file, I would love to see any potential size issues handled via JSON-LD.