For lambda env varibles, is it possible to enable the transit encryption option? I see we can supply a KMS ARN but that only covers it at rest

I don't know off the top of my head what the Lambda console's "Enable helpers for encryption in transit" does - I'm pretty sure that's not a core capbility of the underlying platform. What I think it does is just make KMS calls to encrypt the value before storing it as the value of the environment key, and then it's up to you to KMS decrypt the value you get inside the Lambda implementation. That's certainly possible to do via Pulumi as well using

aws.kms.getCipherText

to encrypt, and then

aws-sdk

KMS APIs at runtime to decrypt.