From 7.2 onwards, in the farcryConstructor you can set
this.dsn_write and set up each DSN to use different database users that have different permissions.
Also as I mentioned above, if you have a public facing copy of the site you can configure the users in the database to only have access to your FarCry app DB and to not have permissions to make changes to the schema, etc to mitigate the surface area of any attacks.
Then you can set up an internal copy of your app which you use to administer it and that DSN can be configured with a DB user who does have elevated permissions so that you can do the things you need to do.
This is all possible now, no code changes required