I agree with your takeaways, but think it’s not enough.

Additional level of security (even) to serverless functions (e.g. Lamda) is still required.

New serverless malwares and/or identity (credentials) theft can pass these precautions measures, which are similar to a “white-list” approach.

Adding additional layer of inspection can prevent unwanted breaches. Especially when taking into consideration the required time for effective breach is much longer in this environment, hence even an “offline” solution can be very effective.