It seems that there are some simple things that are not managed well on the security front, specifically the lack of encryption of the data stored in the database. While backups can be encrypted (by most backup tools) the data itself is not encrypted in the database. The main counter to that is if the host is owned, then anything the host can do, such as decrypt data, is trivial.
But is that really the case?
It seems there is some confusion about the very concept of access control. For example, while root can change a password, it can't know a password. And so there can be similar features of certain subsystems having access control over certain functions. That access can be basic rights access and that can be adjudicated by third parties as well. For example, the encryption/decryption function might require a certificate of some kind. A third party certificate server would be the one to legitimate the identity of the subsystem in the process of encryption/decryption. OAuth certificates issued by providers essentially enable a specific application to have communication rights. The same can be used for encryption/decryption rights, which is just another communication protocol.
Having an embedded OAuth server in a local or neighbor system might be viable.
Some other notes/thoughts: