We have a client which is segmenting their multi-tenant cluster (PostgreSQL 9.6) by schema, however if one of their clients connects via pgadmin they see ALL schemas, even the ones they don't have access to read.
PG generally doesn't assume that anything in the system catalogs is sensitive. If you don't want user A looking at user B's catalog entries, give them separate databases, not just separate schemas.
I'm sure this is what you meant, but you need to give them separate *clusters*, right? Even with separate databases you can still get a list of the other databases and other roles in the cluster. I would actually love to be mistaken but when I looked at it a year or two ago I couldn't find a way to lock that down (without breaking a lot of tools anyway).
Yes, both the database and role namespace is global to an individual cluster. Its another level of trade-off; database and role names could realistically and easily be done UUID-style so knowing the labels doesn't really tell anything except a vague impression of host size.
Assuming clients don't want to see their log files...
