Depends what your attack model is. Personally I consider all of my deployments to be single-user only, aka. if you somehow manage to exploit enough of it to have code exec as user1 the whole damn thing can probably be thrown away anyway.
I focus on avoiding lateral movement instead (e.g. no secrets that allow accessing other machines), but that's really not too hard. And making secrets easily rotatable / system easily rebuildable.