Hi,
Please, bear in mind that a pull subscription is a call that you make to a Pub/Sub topic in order to recover the pending messages, so the idea of triggering a Cloud Run or a Cloud Function with a pull subscription is hard to understand from my end. Would you mind clarifying it further?
About the ‘would be nice not to expose any REST endpoints on my services’, I’m not sure about what you are referring to. If you are concerned about the possibility of other people using your endpoint, you are able to configure authentication on your endpoint by using service accounts, this will protect your endpoint from external callers. Also, if you want to configure Pub/Sub as the only caller to your Cloud Run service, another option is only allow the internal traffic and configure an Eventarc trigger. Could you clarify this part too?
Kind regards.