I disagree with your first bullet point. Does it means running Cloud Run with an internet access is insecure?

With IAM security, Cloud Run has the same level of security than BigQuery and Cloud Storage. Does that mean I have to ask Google to plug those products into my VPC to be more secure?

This pattern allows you to answer to sec team that do not understand cloud security and new ways to deploy services. It's only an old pattern apply to a new world. Meaningless.

Container in root mode is also useless in sandboxed environment with Cloud Run.

And the free tier is for 1 e2-micro, in us-central1, not for 2.

And why GKE is in the picture? Is it LLM generated?