If you use a device provided by someone you should take into account that they can customize the firmware as they wish - that includes leaving an SSH server with their key authorized to access the root account, so they can remote in at any time and do whatever they want on the router.
Even if they do not have direct remote access the firmware may be designed to periodically check for updates from the ISP's server, so they can add the remote access functionality at any time.
Now, this doesn't usually mean it will be used maliciously. I do it as well on the equipment I provide, and I feel it is fine as long as the customer is fully aware of it. This allows for quick fixes and diagnostics before the customer even realizes there was a problem in the first place. But you have to understand that the level of control your ISP can have is way beyond seeing what SSID and wireless key you set. With full root access it is possible to see and tamper with the traffic passing through the device.
Whether you trust that router depends on whether you trust your ISP and how their systems are secured (if an attacker steals the credentials used to log into your router or compromises the remote management/update infrastructure he will have the same level of control the ISP has).
Finally, with most ISP-provided routers, I would be more scared about the lack of updates and security built-into the firmware rather than the remote access functionality. Remote access is bad, but it's likely there are tons of other vulnerabilities that give full root access to an attacker no matter whether ISP-provided remote access is in place or not.
For your second question, no - your ISP will not be able to see your own equipment's settings unless they know your administrative password (and will login over the web interface just like you do when configuring the device). They could, however, still know which SSID you are broadcasting and what encryption type, as they have control over the router and the wireless card and nothing prevents them from running airodump-ng
on it. I doubt they will do this (why is knowing your own SSID so important to them?) but they definitely can.
16If your ISP can access your cable modem settings remotely - then yes they can see all settings you changed. If they can't access it remotely then no. – Darius – 2016-07-30T08:45:51.643
4Less sophisticated users will rely on the provider of their rented equipment to support it in all ways. To meet that consumer expectation, the provider will need to have total visibility/control over the on-premise equipment. If you want privacy, don't use the WiFi feature of their equipment; connect your own WiFi router via physical network cable. It adds an extra layer , but isolates your home network from anything your cable provider can see. – Zenilogix – 2016-07-30T14:18:00.693
1This is one reason my cable modem does not have Wi-Fi. – Michael Hampton – 2016-07-30T17:16:58.777