If you go the session variable route and are concerned about SQL injection, this paradigm won't likely work for you. However, you can replace the session variable with a role per tenant which avoids the scenario you are describing. The caveat there is that you will now have to manage a role per tenant which can be troublesome if you are trying to pack lots of tenants.
We're planning to introduce an immutable session variable later this year to make the session-based approach more viable. It won't stop someone from tampering with the tenant_id before it's initially set, but it will prevent any changes afterward. Though in practice, most of our customers aren’t too concerned. They have application-layer guardrails in place and are confident that users can’t tamper with session state directly.
