Security Issue - Data Leak with django-select2

[andyp05]

Using django-multitenant and django-select2.
I am adding a widget to a form because I need to filter on the deleted field and by default select2 will pull all records.

class Contacts(TenantModel):
    account = models.ForeignKey(Accounts, on_delete=models.CASCADE, related_name='cont_account', db_index=False)
    name = models.CharField(max_length=128, db_index=True)
    deleted = models.DateTimeField(null=True, blank=True)

    class TenantMeta:
        tenant_field_name = "account_id"

class ContactWidget(ModelSelect2Widget):
    search_fields = ['name__icontains']
    queryset = Contacts.objects.filter(deleted__isnull=True).order_by('name')

In the ModelForm containing the FK link to Contacts I add the widget in the Meta section:

    class Meta:
        model = ParentModel
        fields = [...,  'client_contact', 'deleted']

        widgets = {
            'client_contact': ContactWidget(attrs={'style': 'width:341px'}),
           ....
       }

The form displays fine and the select2 dropdown shows all the entries as expected if I have only one tenant.
The queryset in the ModelSelect2Widget does not filter on account id.

From the logger:

05/20/2024 09:19:22 AM | DEBUG | (0.000) SELECT "contacts"."id", "contacts"."account_id", "contacts"."name"  WHERE "contacts"."deleted" IS NULL ORDER BY "contacts"."name" ASC LIMIT 2; args=(); alias=default | utils.py:151 debug_sql()

TENANT_STRICT_MODE = True

Did not flag the issue.