>>It is more effort, but offers less info about your setup "into the wild". Just knowing that such a server exists may attract unwelcome visitors.
>
>True, but allowing local connections only does not harden any sql server. Web services as the only interface and gateway to the server are surely limiting the risk of sql injection for example, but there are surely other attack vectors, sometimes from an account at the same hoster, sometimes by uploads, ftp, whatever.

I se "missing info" about which backend technology is actually used as major benefit. Perhaps the WS does nothing other than calling via PHP, Python or Java into another web site. As long as the WS intermediate technology is not known any attacker has to try the full spectrum.

>I'd harden the sql server in such a way it's safe to allow remote connections. To rely on limiting local connections is false safety, isn't it?

As long as it is not in a DMZ for sure - and now we are probably very far off the OP base surroundings <g>.

Let's just agree that
the WS offers decoupling and *some* added security (even if only by obscurity!)
but needs more programming effort, adds failable parts and incurs probably a small price hike
and we differ on whether it is worth the effort<bg>

regards

thomas