Well, best practice would be to NOT choose your security scanning and testing procedures based on one application or platform, but based on the totality of your environment. Power Platform is only one facet of a modern organization's risk profile. A mature security control process considers it in context, not as a standalone.
That said, an effective security control process for Power Platform includes evaluating any custom code being deployed to Power Platform, the permission controls in place in any Dataverse databases, the procedures involved with requesting, granting, and revoking elevated privileges, conditional access policies in AAD, Data Loss Prevention policies, and appropriate security around any supporting services, such as Azure.
At a minimum, that means frequent static code analysis and remediation, a governance process for granting and monitoring access controls and consumption, and AAD log monitoring to watch for anomalous behavior. These are effective security controls that directly deliver value. After that, the organization's Cs folks can choose whatever scans they want based on the bigger environmental picture.
