In a multi-tenant SaaS, every query needs a `WHERE tenant_id = ?` and one missing one is a data breach. RLS moves that filter into the database where you cannot forget it. Here is the pattern that works in practice — including the connection-pool gotcha that breaks it.