It's safe enough. Since the credentials are stored in a protected (we hope!) file on a protected (we hope!) server, there's little chance that anyone unauthorized can get at them. However, it never hurts to give the webapp its own security account with rights limited to only what that app needs.
Unfortunately, those rights tend to be pretty broad, since they're the greatest common denominator of all users of that particular pool of connections.
When it comes to destroying a civilization, gas chambers cannot hold a candle to echo chambers.