Well, unfortunately it's not possible to have a "dedicated" SharePoint site per domain so if you create a new site collection in your tenant you can basically add any user that is in your tenant...so i'ts just a question of governance. With a good governance plan well know by everybody and also configuring your sites so it's not possible to share information with people that is not part of the site I think you could have it working

https://www.petri.com/disabling-document-sharing-users-no-access-spo-site

Aaron Spatz is correct - it's basically a question of governance. When I talk to users, I tell them we have two domains in our tenant > (1) internal access only (2) available for external sharing. But in reality, it's all the same. The externally-facing sites are regular site collections like the internal "domain", we just won't flip the switch for external-sharing unless the site complies with certain guidelines.

 

I would recommend that you follow best practices in your hierarchy design - however you define that for your organization. Microsoft wants everything flat with no subsites, and that works if you're going with the modern hub/communication/team site model. We're not using O365 groups yet for permissions, so I personally prefer a limited subsite model with a top level parent for each department and a single vertical layer of subsites because it does allow me to use inheritance when necessary.  You'll have to come up with what works best for your organization, DOCUMENT IT, and then enforce it.