Consider this:
GRANT ALL PRIVILEGES ON myapp.* TO 'myapp'@'localhost' WITH GRANT OPTION;
From the DigitalOcean documentation on how to create a new MySQL user:
Warning: Some users may want to grant their MySQL user the ALL PRIVILEGES privilege, which will provide them with broad superuser privileges akin to the root user’s privileges [...] Such broad privileges should not be granted lightly, as anyone with access to this MySQL user will have complete control over every database on the server.
I have a public-facing third-party app that requires an unknown amount of privileges, but I still want it to be safe. Assuming I can't infer what privileges are actually used, what is the broadest set of privileges I can assign to my new user without it becoming a security hazard? Is it ALL PRIVILEGES or something else?
For example, how does the CREATE USER privilege work? Assuming I have access only to database A and not B, does having CREATE USER allow me to create a brand new user that has access to database B, thereby bypassing the restriction imposed on myself? I'm assuming not, but I hope this makes the thought process clear.
There is no set of privileges that is "safe" if random users are able to execute arbitrary SQL on your database server.
I could grant nothing but USAGE to a MySQL user (i.e. they can connect but nothing else), and if that user can execute arbitrary SQL, they can bring down the server.
So the more important question is, how can you use application code to restrict what SQL statements can be run?
And also, never allow your database instance to be directly reachable by folks on the internet. You should use network infrastructure (routing and firewalls) to make sure only clients on your application server can connect to the database.