Using from within a Google Cloud Project with VPC service controls enabled

I am pulling a docker image from from within a Google Cloud Project with VPC service controls enabled. This first resulted in a PERMISSION_DENIED error: NETWORK_NOT_IN_SAME_SERVICE_PERIMETER. Which at first surprised me, but quickly made sense when I found out that is hosted at Google and I had not yet configured an egress rule. With a bit of help from Google I learned that I need to allow access using the service account. This works perfectly, but I would like to confirm if I understand correctly how this works.

I currently assume that the docker pull request leaves my network through my default internet gateway and reaches, which is also hosted in a Google Cloud Project. Your service notices that I am coming from another Google Cloud Project and so decides to redirect me to the Google Storage API with a signed URL like:[...]/data?Expires=[...]&[…]

I am trying to understand where this service account comes into play as this is not something I have configured anywhere and the only thing I could come up with was this above explanation. It also explains why the docker daemon has no problem finding out if it needs to get a new image or it can use its already cached image, as this is a relatively cheap HEAD request that is not redirected to the Google Storage API. Is this a correct assumption?