Cypher / Credentials in Multi Tenant Setup

Hi there,
I would like to better understand the intended setup of Cypher or Credentials (referring to Infra → Trust) in a Multi Tenant Setup. What is the recommended way to allow Sub Tenant Users to manage their creds through Morpheus but not see the secrets of another tenant and ideally isolate them?

From what I could gather in the docs I see these options:

  1. Create dedicated external Cypher Appliance per Tenant and add it to Morpheus, scoping it through Policies. The question here is if I can only use Credentials with this or also SSL Certs, Key Pairs or the dedicated Cypher section without having to rely on the internal cypher storage?
  2. Deploy HasiCorp Vault Instance per Tenant and create similar Cypher Stores as above, since the plugin centrally only allows me to set one Vault Backend.

Am I missing an approach or overlooking something?

Cheers
Marcel