Per-account stream scoping to prevent “cross-tenant” updates

Broadcasting is powerful, but it’s also easy to accidentally leak updates if everyone subscribes to a global stream. My default is to scope streams to a tenant boundary (like Current.account) and a resource. That means turbo_stream_from [current_account, :notifications] or broadcasting to [account, post]. This keeps the stream name unique and prevents other accounts from receiving fragments they shouldn’t. It also maps well to authorization: only render the subscription tag if the current user is allowed. I treat stream names as part of the security boundary, not just a convenience. When in doubt, scope to the smallest audience and then deliberately broaden.