We have an app running on cloud run and it is authenticated only from API gateway.
But still cloud run has *.run.app public domain associated with it and seems like it can still be security issue for sensitive applications which deal with PII data.
How can we run the cloud run inside private VPC network so that private IP is assigned to it?
Is this a con for cloud run over GKE in terms of private VPC network?
Cloud Run cannot have a "private" IP for your service. In general, Cloud Run will be always have its own *.run.app.
Said that what you can do is to restrict the ingress of the service but you should keep in mind that if you set the service as Private or Private + Load Balancer it will be not reachable by API Gateway but by resources in the VPC.
Of course you can set an Internal Load Balancer + MIG as a proxy + Cloud Run private ingress but this increases the configuration overhead.
I think this will change in the future since there is a Feature Request to support Internal HTTPS Load balancers + Serverless NEGs and with the ingress Internal and Cloud Load Balancing you will have a "private" IP for your service (You can ask access for the preview here).
Answering your last question Is this a con for cloud run over GKE in terms of private VPC network? This is something you should evaluate according to your requirements and in general this particular question is an opinion-based which is off-topic. Consider the facts and choose what is better for you.
