To meet these requirements in a multi-company Power Platform environment:

• Security group: In a single tenant with multiple companies (environments), you assign a Microsoft Entra (Azure AD) Security Group to each environment. This filters which users can even access the environment, effectively "hiding" the Contoso Pharmaceuticals company/environment from Contoso, Ltd. users.
• Security role (Forms): In Model-driven apps, form visibility is controlled by assigning specific Security Roles to the forms. Users only see forms that match their assigned roles.
• Security role (Tables): Table-level security (Create, Read, Update, Delete) is the primary function of Security Roles in Dataverse. They define the granular permissions for specific tables.

Microsoft Learn - Control environment access: "Security groups" section. Describes using Entra ID groups to restrict environment access.

Microsoft Learn - Assign security roles to forms: Explains how to use security roles to control access to specific forms within a Model-driven app.

Microsoft Learn - Security roles and privileges: Details how security roles define access permissions for tables (entities) in Dataverse.

Microsoft Power Platform Guidance: Best practices for multi-environment tenant administration and user isolation.