But you can still do things like not allow your DB to make connections to the outside world, or receive connections other than from the application and authorized admins. And similarly for the app, it can be prevented from talking to anyone it doesn’t need to be talking to.

They can still be badly behaved, but you are least control the blast radius.