That doesn't seem very different to a client-server setup. If your DB is on a different server and your app is compromised the attacker has similar access to the DB as if it was on the same disk.