It pretty much always is, but people are very wary of doing anything directly in the database these days, even stuff that's security critical and should apply to every query.
I mean it’s not super common, people usually opt for separate servers/schemas first. I’ve only been at one shop that’s actually done multi-tenant with RLS.
When is it not a good idea to leverage the database's RLS for access control?