1. That's a good setup even if the backend servers aren't shared.

See Safe::World as an alternative. Safe::World may not protect against this by default.