Separate schema, no read permissions for the application identity is sufficient. It's not like "separate db" makes it magically unqueryable.