By default, a Google Apps Script project cannot access a resource (like an API or a DB using JDBC) inside a corporate network. The company would have to put holes in their firewall for the GAS servers to be able to connect to those internal resources.
But since all GAS projects run on the same Google servers, using the same APIs, putting holes in the firewall means that ANYONE, including GAS projects outside the organization's G-Suite enterprise account, can access the resource inside the corporate network.
If we created a VPC between Google and our corporate network, would that allow only GAS projects in our G-Suite Enterprise organization to access internal resources?
GAS is meant for light-weight application development as part of G-Suite. But GCP recommends using GCP projects.
Since you want to connect to On-premise Network it's mainly on how you use it instead of what you are using. Simply add an IP range in your Database to exclude GAS IP(as you said holes). If you want to connect to other services then you can connect from any cloud node to On-premise Network; if you have authentication or firewall that doesn't restrict that IP.
Else, you can connect from any application(any IP) with pre-registered credentials that are generated on an on-premises network server like JWT authentication.