Why is this an issue?

When the plugin com.glide.domain.msp_extensions.installer is installed, the instance allows the admin to separate users and other records in different domains. If you want to have multiple customers on the same instance, this could be a good option.

The problem is that allowing users cross-domain access allows them to create, read, and occasionally write records from another domain. This is risky because that user may not be affiliated with the other company and may have access to sensitive information.

Best practices

The best practice is to disable all cross-domain access and limit users to only viewing and writing records on their own domain.

If you still need a user to have access to another domain, create a new user record for him inside that domain, give him only the most basic roles, and disable all cross-domain access.