If they have root access on the PHP servers they still access all the data in MySQL by writing code like this:
<?php
$pwnd = mysql_select_or_whatever_it_is('select * from sensitive_tables');
?>
Like most LAMP applications Wordpress uses only one connection with total access to all tables. It's the same unavoidable design issue that causes plugins and themes to be a security issue.
