When using Postgres row-level security with session parameters, always reset the session parameter after the request. Active Record does not close connections (for efficiency), so a reused connection can retain the previous tenant's state and leak data. Typically wrap request handling in a switch function that sets and resets the parameter, mounted as a Rack middleware.