Something I haven’t seen mentioned is row-level encryption of database fields. That protects you from some attacks and not others, of course, and it’s a high-end database feature… but when you have it it makes sense to use it. (And you can always change your database backend code to use it at a higher level - but that’s slow, and an enormous pain to keep synched between backends, especially if you work in several different languages, to say nothing of when you have inline SQL queries.)