It has been mentioned within your KB articles that you can restrict the SQL user account to just have the necessary permissions, so why isn't this done as an automatic task during installation and it creates a new account and uses this SQL account to use to connect to the dB.
This would eliminate the use of people using the SA account and the permissions would be least privilege, which every IT department requires these days.
