In cases where an MSP co-manages a company/infrastructure with an internal IT department, it would be great if there was a user permissions level/option that easily accommodated this and that would confidently restrict them to having access to only their company (and optionally global items).
There is another feature request titled "Group and Company Restrictions" which essentially covers this. Basically the ability to specify what they're allowed to see, with an implicit deny-everything-else, instead of implicit allow with certain restrictions specified.
Another potential way to implement this could possibly be to have a portal user that could be given modify permissions for an additional charge, as portal users are already limited to single companies.