Internal is fine because you control things like MTU so you don't have to worry about packet fragmentation/partial loss.

That seems like an awful amount of overhead for questionable gain.

What gave you that idea? Internally, Google uses GRE/GENEVE-like stuff but for reasons that have nothing to do with "preventing compromise" or whatever, but because they're carrying metadata (traces, latency budgets, billing ids.) That is to say, encapsulation is just transport. It's pretty much L3 semantics all the way down... In fact, this is more or less the point: L2 is intractable at scale, as broadcast/multicast doesn't work. However, it's hard to find comparisons to anything you're familiar with at Google scale. They have a myriad of proprietary solutions and custom protocols for routing, even though it's all L3 semantics. To learn more:

Andromeda https://research.google/pubs/andromeda-performance-isolation...

Orion https://research.google/pubs/orion-googles-software-defined-...