In multi-domain installation would be nice to have the possibility to specify also the also domain of the user in the visibility/editability rules for an object.
The domain can be captured within the Active Directory attributes related to the user, and this will be most probably the most used.
Additionally something similar can be added on other login types like for example linkedin groups: in this case the permissions should be differentiated on the fact that domain is based on Active Directory or Linkedin or other, and each user might have more than one.