I need to create a file repo for each of our clients in SPO. I will have between 500 and 1000 clients in SPO by the time our staff is done adding them all (over the next year). The goal with the client folder is to allow them to self-service certain documents we have for them from each of three departments (sales, legal, and accounting). Each of the departments needs access to every client, but only their department folder. I will create a security group for each department and add them to the appropriate client/dept folder. A couple of questions: 

Should I create a site for each client, or one "clients" site and a document library for each client? 

I was thinking that if I created a site for each client, I could just create three document libraries (one for each dept) in the client site, and apply my dept security group at the document library level. 

If I create one clients site and a document library for each client, I then have to create three subfolders in the site and apply dept. security at the folder level. It seems to me that document library level security is better (and more flexible) than folder level security. Thoughts? 

Lastly, I'm open to a totally different paradigm than what I am suggesting. Since I've never configured SPO in this type of scenario before, I may be missing some other way of doing it that has not occurred to me. Any help is appreciated!