Do you think it's worth it to store a digest of the confirmation_token, so that access to the database doesn't grant easy access to user accounts?

One problem is that it would be a backwards incompatible change, and would require a migration of existing data.