A good rule of thumb with the public role is to leave it be. Do not add permissions to this role. Add permissions on a per database and per group of users basis. Create roles within the database and grant permissions to that role – in each database. And remember the rule of least privilege – don’t grant more permissions to a user/role than necessary to perform the job function. Just the same as in an airport – everybody has their role and it is strictly defined. If the user need not have access – then don’t grant the permissions.
This article demonstrates a script that will generate a nice html report of your database security suitable for the auditors.