I have the same security concerns that you express for your clients. The secret lies with the database. Since I am using Wappler for my development platform they do allow you to develop with the MariaDB. This is the database I am using.
First, I have encrypted the entire database (encryption-at-rest) with a 512k key which is also encrypted. This protects me from a hacker who wants to copy portions or the entire database. Next, I have the SSL Certificate that protects me with communication hacks. Thirdly, I implement Wappler security that protects me from hackers trying get in through a page. I have also encrypted the error logs that MariaDB generates. But here is the most important part. It is database normalization.
You further protect your database by hiding the data. Let me try to explain. Say you have a customer table and you wish to store their name, address, and phone numbers. Most developers would just place all this information into one table. From database design and security that would be bad. All a hacker would have to do is ID the table and gather all the information. But if it were normalized, he would have to access the customer, address, and phone number tables. Any table opened by itself would be meaningless. So instead of one table you have four. Now here is the thing, You will need to do searches on these tables and to do so you require indexes. After I identify what searches need to be performed I create a table that contains those indexes. When I do a search, I search on those indexes in that table. In other words you try not to search on the main tables (customer, address, phone number).
By doing the above you can manage a terabyte of data and secure it all within one database. Scalability is easy. Management is easy. One note: Encryption-at-rest carries a performance segregation of 3% which is basically nothing.
I hope this gives you a little more to digest.