Hey Al,
This conversation comes up all the time!
My opinion here is that generally
you should still be securing internal applications, even if they're only accessible within a private network. People make mistakes all the time in configuring networks, and it can be pretty easy to mess up a firewall rule, or place an application in the wrong subnet, or add an internet gateway or peering link in the wrong place. And then your applications are exposed. Having some basic authentication/authorization checks in your internal applications can give you a second level of defense in the case that your application is inadvertently exposed, or an attacker finds a way into your network.
Additionally, if you have multiple applications running in the same VPC, there's a blast radius issue. If one application is compromised, an attacker could leverage the position of that application on the network to compromise the rest of the unsecured applications.
There are also potential insider threat concerns, though that depends on the nature of the applications and what kind of access insiders have.
Dylan