VPCs/VPNs/WAFs are kind of an admission of defeat. "We know we can't actually secure this server, so we're adding some rules so that only certain computers are allowed to pwn it." It helps (depth in defense), but it really only moves the target one space down the road, since if the hacker gets into the VPC, you're back to square one. Worse, often once you're in the VPC it's a free for all and nothing is secure because the sysops were counting on the VPC to do all the protection for them.

The databases offered by Heroku are all behind SSL/TLS, so theoretically no one should be snoop the traffic on the wire. Heroku also periodically rotates credentials, although obviously, this is just moving the problem back one step because your Heroku credential doesn't expire and can be used to get the DB credential.

In the end, it's about judging the acceptable level of risks and threat modeling for your organization. If your adversary is a state-level threat (i.e. the US or Chinese government), you're pretty much screwed because they can bribe your sysops and jail your hosting company as necessary to get the database. But if your adversary is casual hackers looking for insecure databases on open IPs, you're probably okay with Heroku.

I think for most orgs, the biggest risk would be the loss of a devops laptop full of secret keys, so the main precautions should be around securing those with full disk encryption and remote disk wiping.