Multi-tenant vector indexes promise large cost savings by sharing one approximate-nearest-neighbour (ANN) structure across many tenants. Per-tenant orthonormal rotation is an appealing way to isolate those tenants: each tenant’s vectors are rotated under a per-tenant key, within-tenant search is preserved exactly because rotation is an isometry, and a wrong-key query returns coherent-but-incorrect results. We run a falsification-first evaluation on SIFT1M with per-tenant rotation keys and pre-registered leak, isolation, and cost gates. Rotation preserves query isolation at modest scale (matched recall ≥0.99, wrong-key ≤0.05 through T=64, V=500) yet leaves a persistent at-rest metadata channel against an observer of the stored index: membership-style classifiers reach 0.505 accuracy on a shared unpadded index. We show — and this is the central honest point — that this leakage is not new and not a defect: it is the vector/rotation instance of a principle the searchable-encryption and property-preserving-encryption literature established a decade ago, that any transformation which preserves the structure needed to compute also preserves the structure that identifies the data. A short information-conservation argument specialises this to isometric rotation (an invertible map preserves the mutual information between a tenant’s stored vectors and its identity), and we show the leakage is carried by exactly two channels — the per-tenant frame and the rotation-invariant shape — which are jointly exhaustive, yielding a closed taxonomy of the only three ways to close the channel, each a known, formally costed approach in the literature. A systematic closeout over sixteen threat×mitigation cells shows query-side two-pass masking drives access-pattern leak to chance while at-rest structure stays exposed, and only uncapped uniform padding closes both axes — at ~9.4 MB index size and 44 QPS, i.e. not deployable. The cheapest at-rest mitigation we validate is K=3 k-anonymity with greedy count-shape-matched phantoms: attribution under storage-only and adaptive-invariant adversaries is 1/K-bounded (advantage 0.135 @ T=8, 0.035 @ T=32, against a 0.35 bar) at roughly 3× storage, and it fails against an access-pattern-correlating adversary, recovering only at (K−1)/K query-traffic overhead. No single inexpensive candidate closes both leak surfaces; the honest design space is split mitigation by adversary, with k-anonymity as the bounded at-rest option. We present this as a clean unifying statement of a known limit for the increasingly common vector-search setting, measured on real data, with its mitigations placed in their proper theoretical context — not a new impossibility result, attack, or primitive. We then note the constructive dual of the same invariance: because a legitimate rotation must preserve inner products, that preservation is itself checkable, giving a zero-disclosure at-rest integrity-and-isolation audit that detects non-orthogonal corruption and tenant mixing — blind by construction to substitution of one valid key for another — the proof-of-storage principle specialised to the rotation setting, and the integrity face of the same coin whose confidentiality face is the tax. Two limits are load-bearing and stated up front: the shared heterogeneous index fails at T=100 (wrong-key ~0.36), and all at-rest results are on SIFT1M as a proxy embedding distribution, not on live language-model key-vectors.
Luis Carranza (Sun,) studied this question.