That’s true, and the only way to make a Keepass database safe is to make the master password as long and as unguessable as possible.
I guess this works only as long as the superuser account is not compromised and the superuser is a trusted person.
But that’s only my $0.02, and I believe this is not helpful at all. After all, I am not a security expert (far from it! - just someone interested in that topic), so you might want to find a security forum somewhere, to get more helpful answers to your questions.