Groups in the Action Site should be visible to all console operators.
Groups within a Custom Site should only be visible to operators with read access (or more) to that particular site.
You want to create custom sites for each tenant and create a group within that site that contains all computers within that site.
The computers that an operator sees and the computers subscribed to a site are not directly tied to each other, though they often are the same in cases like these… but you should realize that giving someone access to a Site DOES NOT give them access to any computers. You assign these rights separately, even if you may assign them identically.
For example, you could have a shared site called “Windows/Servers” which contains shared content for use on Windows servers and make that available to all operators and have “all” computers subscribe to it, but operators would only be able to use the content on computers they manage.
There isn’t really a good way to entirely prevent this from happening, but you can enable a message that pops up in the console before running something that says some info for review to make it more likely the operator catches the error.