We considered multiple realms, but both the number of tenants and the hard requirement to allow a single user cross tenants seems to make this a nonstarter.
The best idea we have so far is to have a single realm, but create namespaced security artifacts: e.g. Tenant1.Admins. This is not ideal as we were hoping for more separation between tenants. I did see
this which suggests that Picketlink Tiers equate to Resources, but its not clear how. Certainly there does not seem to be any separation of security artifacts within a Resource per se.