The approach you are looking into (checking before sending the email if the lead is unsubscribed in another DB), IMHO, is dangerous: it works only for smart campaigns and will not work for engagement programs with emails nor with email programs. It also completely depends on users not forgetting to call the webhook before sending.
At the end of the day, the safest approach is to that the complete list of unsubscribes are located within Marketo, so that you protect sends non only now but also in the future and is implemented on all programs for all users. It can be done without increasing your Marketo DB. See this post: Feeding the Durable Unsubscribe List without increasing the database
The approach described in this post is done through an import, but you could also use it through the REST API.
You can certainly do this with Engagements with a daily removal campaign. Also, if the unsub flag is properly updated, the Engagement won't send anyway.
Sure, bit as these unsubscribes are not known to Marketo until the webhook is called, it is still completely dependent on the users not forgetting to place checks everywhere. Quite a sure way that someone forget's one day.