@SnakeDoctor It is indeed an important scenario and many big organization plan it according to their needs. If your environment has multiple forest, they can get synchronized to one single tenant make it easier for companies to manage their Identities from a single place. For supported scenarios of user synchronization, please have look here.
In Azure AD you can use the concept of Role based access Control to make sure people see and use the services which they have access to.
Many companies create several subscriptions in order to keep the department specific resources and billing in silos. They have access to just their own subscription and if combined with proper permissions and roles, they can co-exist together in such a way that the people from other department do no see or access resources to other subscriptions. To understand how this subscription based model works, you can read about this here.
For your concern on inter-tenant collaboration, I highly recommend to read this Microsoft Inter Tenant Collaboration article which explains data sharing with respect to Exchange, sharepoint or teams collaborations.
-----------------------------------------------------------------------------------------------------------------
If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.