Not many games actually use malloc. Most of the times you'll see custom allocation methods (both dynamic and static), so it's kinda hard to find out how much memory is available for extra data. A few games, like mine, use the malloc3 set from the SDK, but don't expect to count too much on this one.

SotN uses static allocation, along with other anal routines of evilness.

Removing the BIOS font mapping is just a matter of hacking "KromToAddr" (and similar functions) to force it using actual RAM instead of BIOS ROM. Or you can just crush it all and rewrite the whole upscale+rendering routines, which will look a lot better in the end and should give you much more control.

Yes, it is safe to use, but you have to write code/data/whatever you need there AFTER the game is booted. In other words, if you store something there directly from the EXE it's not gonna work on real hardware and it will have 100% possibilities of freezing on a PS2. Instead, memcpy makes it work like a charm.

If the BSS segment is big enough you can store your additional code there and then copy it to the desidered destination before the BSS reset routine is executed. I did that with the mdec subtitles for FFVII International and with several intros.