@vrms, thanks for the pointer, but I could not find a clue about PCI DSS compliance in the ‘docker compliance’. Actually docker itself is not so secure for such environment per se. If I am not clear please have a look at Payment Card Industry Data Security Standard - Wikipedia
Unlike you stated in If db and apps are separated in the same datacenter with compression and p2p encryption, the latency would not be a problem I guess except for some overheads for encoding and decoding.
There is site configuration option db_host (like db_username and db_password). Ideally, you would want the whole bench to use a common db host, so there’s a command bench set-mariadb-host that sets this value in common_site_config.json.
You can run bench set-mariadb-host after moving the database to another server and the system will use the new db host. Or you can skip bench setup in the installation script and run bench set-mariadb-host before you install the first site.