One metastore per region per tenant is an enforced soft limit that works for nearly all organisations. You have an additional level of isolation that can be achieved by creating Catalogs inside the Metastore. The recommendation is to use those Catalogs to achieve the isolation you need. You can divide your Catalogs per environment (DEV, Staging, PROD), Business Unit, a mix of both or however you find more useful to your needs.
Each catalog can have a separate LOCATION to store their data in different buckets/containers (S3/ADLS) if required to separate the data in the storage. Also, you can isolate which Catalogs can be accessed by which workspaces, giving you full flexibility.
https://docs.databricks.com/en/data-governance/unity-catalog/best-practices.html
