Stream Security should be able to prevent cross-tenants access

Stream security cannot be used to prevent cross-tenant access, i.e. using signing key of tenant A should not allow to sign download distribution artefacts of tenant B.
Locate the download/streaming artifacts in folder structures reflecting the tenants (as the archive folder structure does).