If there are other DBs which are legitimately accessible by users, you can't.
If there aren't, and if you can authorization to modify your firewall policy on the server, then look at firewalling off connections from everything but the DBAs and the app servers. Of course, if the DBAs aren't in their own vLAN, then this may not be an option, either.
The question I have is why does a group have dbowner access? Is this required of the app? If so, have you pushed back with the developer of the app?
K. Brian Kelley