Hi, Nigel.

Function/Web app IP ranges are not that volatile, while they are still not guaranteed. I had only one issue with the IP address switch over the last two years(34 apps). And proper health monitoring of an app will help with the possible switch. Infrastructure code populates exact app IP addresses to the database firewall so that the only particular app can access it. The next step is to enable Azure Defender for SQL to tackle unexpected situations.

No public endpoint should be used for the SQL database.

Private endpoints are a much better choice than firewalls, but as you mention, it's a Premium functions functionality, and VNets affects architecture and cost for the end customer. So usually, this is agreed upon before the project start.

Managed identity is great but also can be volatile :). I have an issue with broken connectivity between the app and Key Vault with a wrong token exception, which was solved with MI's re-generation.

Functions security is a broad topic for discussion. Let me know if you have further questions via Twitter or LinkedIn.