The Shopify OAuth process (in regard to a third party app) involves the Shopify shop user granting your app access to the specified scope of Shopify's dataset. Usually a key step when the app is installed for that Shopify shop. But it doesn't necessarily secure your own external database from the outside world.
If your app's underlying database is accessible to the outside world, then you would still need to secure access to it. Using JWT's is one way you could accomplish this, but the token acquisition process would be visible to a certain degree to the Shopify user via their web browser. So any potential "bad guy" could just view source on the web browser session to determine how to grab a JWT outside of Shopify. You could look at request headers to see what the referrer appears to be, what the origin appears to be, etc. But then again, the "bad guy" could just stuff those same acceptable values in headers impersonating a Shopify user's session.
As I responded to in another thread on here just today, I'd recommend looking into creating an app proxy from Shopify over to your side. And using HMAC signature validation as the basis of allowing/denying access. That was the best solution that I came up with working with similar scenarios.
Hope this helps!