By default when i create a new site with erp next on my frappe bench a new SQL user is generated.
The only security seems to be that login is restricted to the host where the site is created. No ssl/tls requirements are set by default. Incase of an external db that means the connection is NOT encrypted. Is the generated user using the same settings as the ones specified in the “common_site_config”? If that is the case and if there are certificates specified then the ssl type should default to the x509 type.
I just tested it by setting the ssltype to x509, it works fine. This really should be done by default.