What about making possible to add security tags to SERVICES and PLUGGABLE DATABASES?
Beside giving grants locally (create database link, granting access to users), TAGs would permit interactions between services/databases only if they are tagged alike.
E.g. only PDBs belonging to s specific application can connect between each other.
The same principle apply to cloud objects, so why not on-prem or in general at PDB/Service level?