The company I work at wants to point the primary domain e.g. (company.com) to a third-party CMS to manage the content (marketing, lead-gen). And use a different domain (company.app) to host the web application, which contains PII/PHI data.
The main argument is that this approach is necessary from a security perspective. It'll prevent a compromised third-party CMS (the CMS company they want to use seems to have poor security, no SOC audit) from affecting the web application since it's on a different domain.
The web application is also not public, so having two different domains shouldn't affect SEO.
I'm curious if any one out there has any experience with this type of approach and if these reasons are valid over just using one domain with many subdomains.
