1) If the CPU is the limiting factor, why does the usage percentage fluctuate? I mean, I would argue that a demanding task would request a constant %CPU power processing (as much as it could get). In this case I would expect a full core (a 25% of the total) to be fully occupied while the task is running. I don't understand why it constantly varies from a 12% to a 22%.
Hard to tell.
2) If both WinSCP and FileZilla client use the same full core in the same machine, why does the later saturate the download bandwidth, while the former doesn't?
Better implementation of the encryption. Or better compiler. Or inferior encryption used by FileZilla (unlikely).
3) Why does a previous version of WinSCP (version 4.3.3) perform better than the current one (the ancient one reaches 40MBps while the latest only gets 30MBps)?
Inferior (less CPU demanding) encryption algorithm used by 4.x
4) Related to the previous point, and as the tip at the beginning of this post suggests, could the crypto libraries that WinSCP is using be the root cause to this issue?
Possibly. Or a less efficient compiler.