All three of those examples still exploit DTP, VTP, tag stacking or require trunk access to jump vlans, which non of those should be present on an access port. The dynamic protocols shouldn’t be active on an access port and it should ignore tagged packets on it, and if there is a reason for tagged packets on there (like a voice VLAN), only VLANS that need to be there should be available on the port.
ARP poisioning won’t cause packets handled by a layer 2 switch to jump VLAN, but may cause a router to send traffic out incorrect interface as it simply is a mechanism to map layer 3 hosts to layer 2 addresses so switching works more efficiently, but anything without a layer 3 interface (like a switchport) wont do anything with it, they are just looking at the addresses on the Ethernet frame .
Rouge DHCP servers also won’t cause a jump of VLANs on an access port at layer 2. They could give bad address and routing information out and cause a jump at layer 3…Spanning Tree attack wont cause a VLAN jump on a layer 2 access port either (can cause a lot of other issues though…)
Those are some of the reasons I separate layer 2 and 3 into separate devices. Many of my switches are “layer 3” switches, but they are all configured as layer 2 only devices and routing is handled by routers.
VLANs are roughly the layer 2 switch equivalent to subnets in a router, and very commonly each layer 2 VLAN feeds a layer 3 subnet in a router. Both switches and routers can have many networks operating inside of them, it takes careful configuration to make sure only the desired networks are exposed on each interface, but since all the networks are present at each device, and bad configuration can expose everything.
You are correct, VLANs alone are not security, they are simply a way to segment L2 traffic on a common device or cable. Could one gain a bit of security if each network had it’s own dedicated switch and cabling (and access points, etc)? Likely by a small amount, but the number of way easier vulnerabilities at layers 3+ (including user level social engineering) are likely a greater concern that someone with physical access handcrafting Ethernet packets in hopes of getting lucky before getting caught…However that is not practical to have a stack of dozen+ switches at every IDF and use dozens of strands of fiber (or big bundles of CAT6/7 cable) to MDF, and also need 1 physical router per L2 network (you’re not going to combine them into vlans inside a single router, are you if you don’t believe in VLANs), so it a calculated risk taken for operational efficiency and reliability.
Defense in layers, anything using any type of communications ports, including an HMI, is vulnerable to attack, so mitigation at every layer is necessary