Isn't there also a third danger with anything that scales your bill as your app scales - the possibility of some black hat ddos-ing you for the hell of it?
Yes, but I guess in that case you would put your lambda function behind an API gateway, and limit the user requests.
If it's a static content you would serve it from a CDN.
Not a specialist on this, but that's what I would do.
Wouldn't an API gateway typically limit requests per IP/end user?
I guess it could limit global request rate. But the idea of unbounded elastic services behind a global rate limiter is just funny to me. Like a Ferrari with a 50mph limiter.