The most common multi-tenant bug we see during code review is the same: a query that forgets to filter by `tenant_id`. Usually in an analytics endpoint. Usually written by a senior engineer in a hurry.
Application-level isolation is one missed `WHERE` away from a cross-tenant data leak. Postgres row-level security moves the check into the database, where it can't be forgotten.
The cost is real — you write policies, you set session variables, you debug `permission denied` errors that look mysterious until you remember they're the system working. We think the trade is worth it for any product where a tenant leak is an existential event.