if all DB servers in a site are down, the webservers (in that site) should stop responding to Auth requests:
that would automatically trigger the (some) loadbalancer Failover.
(and it would make sense too: these webservers are only little helpers of their DB masters. No master, no action)
Also, the webservers should stop responding to /api/v1/status too, or at least respond with error 500 or 404 or something like that. Today it just reports 200, because itself is alive (even if their masters are not).
these two "tweaks" would help with many failover scenario's of geo dispersed AA sites.