An attacker can still send a compromised payload if there’s no signature verification of the update. It takes a more sophisticated attack (e.g. supply chain attack, hijacking AMD’s update website, etc.) but it has happened before to other companies. If the payload is signed and verified, an attacker would also need to gain access to AMD’s private key to successfully send out a bad update. Assuming reasonable security, getting that private key would be a lot harder to get on top of somehow compromising AMD’s update web service.
Also CRC checks over the internet are sort of silly and redundant since every packet sent would already be subject to a similar CRC check and bad packets would be ignored (dropped and re-requested). It would only prevent corruption on disk or in memory which are a lot less likely than transmission corruption.
I too spin up a new DB for every service that needs one. It makes maintenance less intrusive since I only have to shut down one service at a time to update or do a full file backup and I can safely tweak the DB config to best suit the service without worrying about negatively impacting other services on the same DB. I also like the flexibility to choose the best DB for the service, e.g. I use Postgres for a lot of the services I develop but they do also support MySQL/MariaDB, but I have other services that are more tested on MariaDB.
I’d imagine having one database for everything could eventually cause performance problems across all services if the database gets too big or clunky or queries get too complex, even if just one service is causing the problem.
I also run a lot of physical servers (I have about 10 low power computers I use as servers right now) so having a dedicated DB per service allows me to get better performance since the DB can be on the same machine as the service. Not that they need high performance, but it also helps with the efficiency.