Why can’t the attacker with db access drop the trigger?
You could (and should) run with minimal permissions which would exclude DDL.