Hey there @walter.adbe sorry for the delayed response on this one but wanted to share a couple thoughts here.
Using separate connections is one way to go about it - Organizations might be something to consider as well. Our Architecture Scenarios documentation may be useful as well.
The solution you’ve outlined is one possible way to achieve what you’re looking for. Again, organizations might be an option as well.
Yes - While the Actions themselves are tenant level, you can certainly introduce logic to single out specific applications. In particular, I am thinking of event.client.client_id. This as well as other post-login Action objects are outlined here.
Hope this helps!