Hi James -- that is a pretty broad topic. I'll give some answers to the security question and you can let me know if any of them hit the mark and you are looking for more detail.
Late last year there was a discussion of the permissions model in FOLIO, and the decision was to move forward with a "sets" model that allows for permission sets to be assigned to user accounts (and for sets to contain other sets). Permissions are enforced at both the OKAPI layer (the glue between the various FOLIO modules) and within modules themselves.
OKAPI, as a RESTful interface that fronts the business logic and storage modules, enforces security permissions on data access; this is a deliberate design decision that discourages direct access to the underlying storage mechanisms. In that way, the security of data rests on auditing what is happening through the OKAPI gateway.
In multitenant situations, I believe the current thinking is that each tenant is a separate storage (e.g. database) partition, and that all cross-tenant communication occurs through the OKAPI layer.
Does this start to get to your question? Let us know where you would like more detail.