I was part of the Cloud SQL team when putting databases in VMs was designed (previously the MySQL process was run in a sandbox).
I am sure Cloud SQL is far more advanced since then (9 years ago), but security in depth was something we thought about a lot. Running in a VM for each database rather than a multi-tenant system was for security more than anything else. We could have multi-tenanted just as easily implementation-wise.
> This would never fly at Amazon because it would cost them a few cents to have anorher VM.
That is categorically false. Not only does Amazon's RDS do that (can't find where they say that, might have been at reinvent one year) but for other services like Fargate they used to waste way more resources due to instance single tenancy, until they adopted Firecracker: https://d1.awsstatic.com/events/reinvent/2019/CON423-R1_REPE...
The point is that their container offering recognizes, correctly, that containers aren't a secure isolation boundary so unless there's internal only ec2 instance sizes (which seems unlikely, but I could be wrong) they used to waste significant portions of an instance's compute in the name of security since the instance _is_ a secure boundary.
More broadly, based on the literature I've seen, I'd agree that GCP takes security seriously, but so does AWS and I haven't seen any good evidence to say one would be "better" than the other.
I would expect both to come up with a robust security model and as part of their defense in depth I'd expect both to enforce single tenancy at a hypervisor level any time they're running anything untrusted or which can be materially/declaratively influenced by customers (e.g. code, SQL, etc)
I am sure Cloud SQL is far more advanced since then (9 years ago), but security in depth was something we thought about a lot. Running in a VM for each database rather than a multi-tenant system was for security more than anything else. We could have multi-tenanted just as easily implementation-wise.