"If I use an ORM, I have to give the SQL account the client application is using more-or-less carte-blanche access to the database as it could conceivable read from or write to anywhere in the database through arbitrary SQL"
You can give table level permissions (and even specific columns if you want) to the ORM db account. From a security point of view there should be no difference.
I agree with both of you, although have never set up a DB in either style :)
One small point: the proposed stored procedure approach seems, qualitatively to me, to be less error-prone. The consumer in the sproc approach either does or doesn’t have access to specific sprocs, while managing fine-grained per-column permissions seems easy to screw up in either a too-liberal or too-restrictive way.
You can give table level permissions (and even specific columns if you want) to the ORM db account. From a security point of view there should be no difference.