For point 1, if you're writing a multi-tenant app it's good practice to put the tenant id on every table and always filter on it. This lets you be doubly sure of fetching the correct user's data, leaking user data is worse than a bit of overhead. The alternative is always joining back to a table with a user id.
As a plus in with DBMS that allow you to set the physical ordering on disk (MS SQL Server's clustered index for example) you might actually improve performance by distributing rights to multiple pages and improved locality of data for per-user aggregations. It depends though.
For point 2, sometimes these things happen. Through mistakes, design or just bad design. Best to protect yourself against cross-user data leaks.
As a plus in with DBMS that allow you to set the physical ordering on disk (MS SQL Server's clustered index for example) you might actually improve performance by distributing rights to multiple pages and improved locality of data for per-user aggregations. It depends though.
For point 2, sometimes these things happen. Through mistakes, design or just bad design. Best to protect yourself against cross-user data leaks.