But you can limit by port, better monitering and control per tennant..
I did just that only a few weeks back.
Standard RB1000, uplinked into a Gig port on a cheap 'WebSmart' pseudo-L2 switch and defined a VLAN for each tenant. In MT, VLANs are standard interfaces, so there's nothing you can't do on a VLAN which you can on an internal Eth.
One less device to deal with, keep updates Etc...
...and tens (hundreds) of switch-chip/bridging bugs less to worry about.
Not a world changing device, but handy...
You're right on that... but 'handy' is not something to get excited about when there is a wikipage-ful of wanted features.