A webapp needs to authenticate itself as a database user, in PHP, via a mysaqli_connect() call, and it needs to authenticate its users.

Conventionally, root has all privs, including the priv of granting privs. No webapp should have root privs.

The webapp needs its own mysql.user entry, with no more than the privs the app requires; eg it shouldn't have the drop database priv.

If there are different classes of webapp users---eg readers, writers, admins---then each of those classes needs one mysql.user row defining its max privs.

Individual webapp users should be documented by a separate mechanism, minimally a user table in the webapp-specific database, more sophisticatedly a set of role-based-access tables which map individual user privilege sets to defined roles, and maps those roles in turn to specific mysql.user rows.