Hi Raphael,
I work on Integration related questions here and support the PaaS-tier services that you have listed out above, and Travis pinged me about this post and I'm making my response as an answer as we currently have 1000 character limit on comments on this channel. In short, your understanding is correct and that is a valid point of view. Upon reading your post, the following statement stands out to me with the two key phrases:
In our case, we will manipulate sensitive data in an integration scenario between 2 Microsoft cloud solutions for internal use only...
For securing sensitive data, you'll want network security and true isolation from the rest of the tenants on public Azure. Most enterprise/government-level compliance controls will require such isolation, and VNET integration is the feature that is offered from (mostly) the Premium SKUs of the PaaS-tier offerings above. Note that because of the PaaS nature of these services, you'll find some of them needing to use certain network ports and/or establish connectivity to other PaaS services (i.e: Storage, for telemetry-gathering, or pushing updates etc..) outside of your VNET (configured by you during VNET integration) under the covers for utility purposes. For example, Azure Functions requires connectivity to a Storage Account in order for it to run properly and offer its features (although the ability to isolate the storage solution in a VNET is coming very soon too). If you run into this type of issue and find your security requirements in conflict, feel free to open a new post here with the specific details, and rest assured as we have documentations and teams of engineers available to help and provide the necessary assistance. Alternatively, you may also choose to self-host these PaaS runtimes and run them in your own microservice architecture of your choice for greater control too, if need be.
As for the internal-only use, I would probably throw in Azure Policy to be used in conjunction with RBAC for more automatic prevention. And of course, you can always look to use OAuth/OpenID Connect flows for any AuthN/Z scenarios between user-to-service, service-to-service communications. There are also Managed Identity and KeyVault integration which are all supported with the services listed above.. depending on your budget, requirements. Hope this is helpful, let me know if any questions.