The post doesn't say anything about runtime resource limits, which I agree is a strange omission given the architecture they've chosen. I suppose someone could try building a bot that uses more and more resources, and see when it stops working.
There's a section about making HTTP requests (https://core.telegram.org/bots/serverless#http), which mentions "two constraints: * Response content is textual (binary payloads aren't supported). * The total response is capped at 32 MB. That cap covers the whole response — streaming with res.body lets you process a large body incrementally, but it does not raise the limit." Unclear whether the 32 MB limit is per outgoing request, or shared among all outgoing requests made by a single handler invocation. Also unclear what other limits apply. Non-HTTP protocols presumably are not available.
This means the code must pass the URL in cleartext so that Telegram can detect those who try to use bots for scraping and proxies.