If your webapp has unfettered database access then don't be surprised if it is hacked and someone can do `select * from users` and then posts that dump somewhere.
The attack surface changes if your webapp can only do a REST call to pull a single user record at a time. That way you can put some auditing in, you can put rate limiting in to detect that, etc.
Obviously the user record REST api endpoint is still vulnerable, but it's a much smaller attack surface, easier to audit, and can be monitored a lot more closely.
Yes, ultimately, there will still be a set of vulnerable humans that have access to the database servers themselves and they can always walk out of the place with an SD card hidden in a Rubik's cube but there has to be an element of trust somewhere.
The problem is that too many people put that trust boundary way too far out into the big bad Internet. Or don't even consider it at all and just rely on the fact that other targets are more appealing.
Databases (SQL) have concept of views, restricted access going all the way to column level.
Connections can be restricted from firewall itself.
One can have MTLS connections with database on the top of it to beef up security.
Unfortunately the generation of people who knew and did all this is just considered friction and has been made obsolete.