Separate databases of separated users is not enough to ensure data privacy. You have to do more more in case you go this way, for example, disable administration of modules.
If data are reasonnably sensible, separating code, linux users and database roles may be acceptable.

It is the way the self-service free hosting http://sisalp.com works

If users have to be "state-of-the-art" protected, then container is a minimum (Docker, LXC, or OpenVZ)

 Of course, multicompany is not even an illusion of privacy.

Depends on how you try to achieve multi-tenancy. If you use separate databases for each tenant (which is the "normal" way), you don't have that problem. If you are using multi-company mode, define the "allowed companies" for each user accordingly. But I would not recommend this way.