Isolation AWS resources with multiple subnets vs multiple VPCs

I have AWS resources (e.g. EC2s, RDS instances) that I would like to isolate from each other so that if one is compromised, the potential damage is limited. I am most concerned about data leakage / exfiltration. I can group these resources into logical "areas". Some of the resources need access to the public internet. Some of the resources need API access to other resources in different areas. Occasionally, developers will need to make SSH connections to the resources via OpenVPN, so those keys might also be a security risk.

My understanding is that I can split my resources in a few ways:

• A single VPC and a single subnet with communication controlled by security groups (I understand this is not recommended, buy why?)
• A single VPC with multiple subnets and controlled communication between them
• Multiple VPCs each containing multiple subnets, with controlled communication between them

What are the security implications of each approach?