Thank you for the suggestions thus far. As mentioned, this server already has an iptables firewall ruleset. The default policy for input is to drop, and the port for MySQL (3306) is not included in the list that accepts input. I suppose there could be a rule in the output table to prevent it from making communication out through the internet facing interface, but I think there would have to be an assumption that it didn't fork to a different port when communicating.
As for the chroot jail, you can use the application makejail
to help setup a jail for MySQL. In Debian, I just use apt-get to install it. It wouldn't surprise me if there was an emerge package for it in Gentoo. A jail is more of a post-incident utility that limits damage once the service has been compromised. I would like to focus on actions to prevent the service from being compromised.