FieldCred is multi-tenant: each customer ("tenant") is provisioned its own separate backend project and database. This is not one shared database with a tenant_id column filtering what you see — it's a fully distinct project per customer. There is no query path in the app that can reach another tenant's data, because the app only ever holds credentials for the single project it was initialized against.
How the app knows which tenant it is
Which tenant's project a browser talks to is resolved by domain, or by an explicit ?tenant= parameter in the URL. This is also why share links and password-reset links explicitly carry that parameter: a link opened on a device with no prior context for your tenant needs enough information in the URL itself to connect to the right project — otherwise it would have no way to know which one you meant.
For what's not yet isolated — the fact that every signed-in user within your own tenant currently has full admin rights — see Today's roles model — one shared admin account.