Why is the auth database a part of the application to begin with? Why is it not externalized away behind a single service with a bare minimum "set-password/is-this-my-password/trigger-x" endpoints exposed to the application with per route/per source/per question rate limiting? This is 2020, not 2001.
Because while service oriented architecture is currently "hot" it's not a requirement for many systems and monolith is still king in most corporate environments.
It's not just because the decade counter changed that everyone must rewrite their systems using the latest fad.
If you have a single database, located on a single server you have a single security domain. No amount of hand waving is going to create a magic security boundary that will not be crossed by the most banal part of the application.
Why is the auth database a part of the application to begin with? Why is it not externalized away behind a single service with a bare minimum "set-password/is-this-my-password/trigger-x" endpoints exposed to the application with per route/per source/per question rate limiting? This is 2020, not 2001.