Generally, any metadata collections that store data for a particular tenant should be made into per-tenant collections, and tenant information should not be stored in the documents in the collections themselves. This is both to mitigate the risk that tenantIds are leaked to users (if users can read the metadata collections), and to make restoring Serverless customers clusters simpler (the tenantId for a customer can change upon a restore).

This ticket is to enforce that tenantIds are not included in internal metadata collections (other than particular exceptions, like change collections, oplog). One potential way to do this is to add some hook that looks through internal collections and ensures a tenantId is not present.