I've worked with multi-tenant databases in the past, including situations where external clients had ad-hoc access query access. The way we dealt with it was to have a separate database for each client, so a hard boundary was established in the form of authentication when they logged in. But that did present maintenance issues like keeping all the schemas in sync and managing file growth and memory for 100s of individual tables. Eventually there was talk of having a single database, with a dedicated schema for each client, schema based authorization, and each clients data encrypted using a separate symmetric key. But that still would have presented the issue of how to keep schema DDL in sync.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho