The client could conceivably connect to something like an ElasticSearch database (JSON API), setup with no auth/read-only permissions and appropriate rate-limiting.
You are really talking about a very small use case if you say the only database that could be used would be no auth/read-only considering most database requires auth for security and most apps need to write.
And then you use a "function" behind the gateway for the parts that need to write or need to see things that need authentication. Just like in the diagram...? Nothing says that you can only allow public access to a database.
Is there something wrong that the client browser is connecting directly to the database, so JS -> MySQL direct connection won't expose credentials ?