Tenant isolation is a feature you test, not a checkbox you claim
Every multi-tenant product says its tenants are isolated. The ones you can trust are the ones that try to break it on purpose. Here's how we prove no tenant can read another's data.
Ask any multi-tenant vendor if tenants are isolated and the answer is always yes. It has to be, it's table stakes. But 'isolated' is a claim until someone deliberately tries to cross the boundary and fails. In a shared semantic cache, where answers are reused across similar questions, the temptation for data to leak between tenants is real and the stakes are a breach.
Every read is scoped to its tenant and user, the walls are enforced, not assumed.
We test this the way an attacker would think about it: store a fact under one tenant, then ask for it as another. The correct result is nothing, not a filtered-after-the-fact result, but a boundary the query can't cross in the first place. Isolation that's only enforced by remembering to filter is isolation waiting to be forgotten. It has to be structural.
The bottom line
Don't trust an isolation claim; trust an isolation test. Ours says a tenant asking for another tenant's data gets exactly what it should, nothing.