Most of my GCP clients shove PII into a GCP Service, like BQ. It's not put on a "server" per se, so firewall rules don't really apply here. The appropriate thing to assert is that necessary IAM permissions should be granted explicitly.

This is usually the case. As most of my clients use isolated GCP projects for housing PII data. This forces IAM permissions to be granted service accounts, which, hopefully, means that administrators are cognizant of the levels of access that they are granting to service accounts.

Not a guarantee, mind you, but hopefully some redflags would be raised if a someone requested PII-level access for a Service Account associated with a public facing web server.

IIUC this is insufficient (!) - even with a firewall between them, a VM now vulnerable to attack from another VM on the subnet (in the same GCP project).