Restricting access by DB number is indeed not possible with ACL. Options are:

• Use key prefixes + ACL patterns to isolate tenants (as you wrote)
• Or separate instances if you need stronger guarantees

Here is a great explanation of why Redis doesn't support restriction by DB number and why using DB numbers in production is highly discouraged: https://github.com/redis/redis/issues/8099#issuecomment-741868975