One issue is that if someone manages to compromise your web application and gain shell access to the server, then they can access the database directly at the OS level – allowing them to replace the datafiles, remove log files, corrupt backups, and so on. Whilst this might not expose any more of your application’s data to the end user, this level of access makes it much more difficult to trace the actions of an attacker. Gaining this level of access to the database server is generally much more damaging than gaining it on the app server, hence the desire to separate the two.

Whilst it’s not really an issue for J2EE apps, for app servers that run native code there’s also the issue that you’ll often end up installing a lot more packages on your app server (thus increasing the attack surface) than you would on a dedicated DB server – so if your organisation has a one-size-fits-all policy then this may be influencing it.

The other argument to consider is: what’s the downside? Assuming you’re running on virtualised hardware then there’s no significant increase in cost, provisioning & managing an app server and a DB server isn’t significantly harder than provisioning enforcing them separately, separation makes architectural sense, and you’re in a better position to scale if you need to do so in the future.