I've only skimmed this, but it looks like a great post, covering an area of database security almost everyone overlooks. There is no reason your app needs to run with carte blanche access to every table in the database, especially when your app is primarily driven by reads.

I've been on pentest engagements where clients have survived rather horrible SQL injection vulnerabilities because the database handle the injection happened on had no meaningful privileges.

Also why stored procedures are often recommended since you can apply access controls around them.

A great article! It made me realize that I need to be much more careful in setting up restrictions for PostgreSQL users (i.e., client applications).