On the other hand, if a home user has a SRP+WDAC style default deny application control and uses also a SUA, is there a verified way for malware to start executing without Credential Guard and VBS (unless the user starts it on purpose, i.e. trusting the malware to be safe)?
Yes. Exploits that do not require elevated permissions & privileges or exploits that can obtain elevated permissions & privileges in a SUA without notifying the user. For example, kernel exploits.
If you are ultra-paranoid, then you worry about such things - that UK GCHQ is hacking you to death to get to your family photos to surveille you and your family, amongst other things like putting agents into your socks.
Uninstall VBS, WMIC, PowerShell ISE, and OpenSSH from Windows 11 features if you are not using them.
Best security advices:
1. Do not be a "user that wants to use stuff"; and
2. Do not solve digital device security with software alone. Instead focus on knowledge gained a little bit at a time. It will serve your goals & objectives much more effectively than simply installing software or disabling Windows features.
Windows security increases exponentially when unneeded, unsecure default features that ship with Windows are permanently disabled.
Security is not software. It is a process. That process requires adequate effort on the part of the user so that they understand an entire slew of inter-connected security matters. Learning the security process is a long process in and of itself.