The superuser requirement to isolate hosts (I think its required for anything under manage endpoints) as well as the requirement to see all spaces to manage fleet means you cannot have a truly multitenant environment. You cannot have an admin of a single space.
These are the permissions I am referring to:
Is there a workaround for this?