I guess the way they want you to do it in S3 is using a per tenant key prefix with security policy set? AWS roles and security policies are quite flexible so I guess in theory you would get the desired isolation that way. Separate buckets are still easier, though...
S3, I think they did up the bucket limit on request, but maxed out at 1,000. That was years ago though.