I had a long post on this a couple months back. I know Multi-Tenant security can be achieved, and I'm currently working on implementing this today (very manual). There are a few things I think woudl really help.
Row Level Security
When a tenant authenticates to an application, they are only granted access to rows with their tenant_id, and nothing else. Right now this is only achievable for Read operations by doing a Query All Records and matching the tenant_id with the auth token set tenant_id I'm also passing.
For Write, Edit, Delete this is much more complex. This requires that you first verify that the data being edited is data from that tenant, then going through a precondition that basically stops the user or allows them to pass. Moving to a model where the row itself was only ever part of the tenant could help tremendously.
Role Based Access
My application has different roles for user, editor, administrator, etc. It would be nice if there was an RBAC engine in Xano that would allow me create the different roles within an application, as well as be able to pass specific data into those roles, such as this user is marked as an editor for a record they don't own, but is allowed to edit. Right now, once again very manual.
Security is paramount these days, and these two things would help tremendously.