Question
Design the data-isolation layer for a multi-tenant analytics SaaS with 40,000 tenants ranging from 5-seat startups to 100K-seat enterprises sharing a Postgres-backed platform. Requirements: one tenant's query can never read another's rows (even with an app bug), large enterprises need stronger isolation/guaranteed capacity, and onboarding a new tenant must be cheap (no per-tenant schema migration storm). Walk through the isolation model (shared table + tenant_id vs schema-per-tenant vs db-per-tenant), how you enforce isolation defensively, and how you stop a noisy enterprise tenant from starving small ones.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.