I don't have a comprehensive answer ready (and I'm not an infosec person per se, much more a devops person who has come from the Ops and networking side initially). But all things considered, and acknowledging that creating an easily digestable InfoSec 101 customized to the realities of a particular project is an awesome onboarding tool that will help a lot, I always try and teach people that it is the matter of some very basic engineering. If you design something, be it a function or a system, you need to think - how will this break. And thinking about what sensitive stuff is in there and how a malicious actor can game your system to extract or misuse it is just an angle in that analysis.