Hello Phillipe, in case of single
GoodData.CN deployment with parent-child WS hierarchy (that would be really convenient for your use case), the compromised BQ SA key leads to gaining access to all datasets, because this single deployment must have access to all datasets.
Running one
GoodData.CN per tenant, with BQ SA key limited to dataset access for this particular tenant would make much more secure, reducing blast radius of leaked key only to affected dataset. As you wrote, at the expense of higher amount of containers, CPUs, memory, and maintenance overhead. If you do not need to see aggregated data from your tenants, you won't loose too much functionality if you decide to go this way.
Alternatively, you may mix both approaches - standalone deployments for "high-security-level" customers, shared deployments for "regular" customers... You can even monetize this approach 😉