Hi _MartinB here are my answers to your specific questions, I've also Privately Messaged you.
- Managed VNet allows you to use managed private endpoints, it does not force you to use a Managed Private Endpoint.
- You are correct. In my experience customers normally enable DEP due to regulatory / compliance reasons (ie they have to), whereas the controls you point out would be suitable to meet the same technical objectives, but may not meet a regulatory/compliance standard.
- Once again you are correct - my advice about usage of the SHIR is specific to Pipelines, and doesn't account for other elements in Synapse. Apologies for any confusion.
Regarding Azure Firewall and 3rd Party NVAs - The issue is that you can't force outbound routing from those services through the firewall like in a typical on-premises environment. There are some ways you could workaround this, but you'd need to have processes similar to those which you outlined in point 2 to control for this.