I don't think so.
If the same user, with same credentials (unique e-mail/phone number and password), can access both "Tenant 1" and/or "Tenant 2", it's not a security issue. It's an UI/filter issue.
Yes, but then this is UI. The original JWT token generated by Sphinx (actually, generated by you from Sphinx) says the user can have access to Tenant 1 and Tenant 2. If you want your app to only show data from Tenant 1, it's up to your app.