The question has been asked if a user from one domain can view another domain but still restrict the user from viewing some records.
There is a way to do this. You will have to grant the user access to the other domain then implement either before query business rules or ACL that will prevent the users from seeing data he/she is not supposed to see.
The business rule would work faster as it would only get data the user is supposed to see. ACL's would get the data then decide what data the user is supposed to see. But ACLs would work as well.
This is how you would give the user access to the other domain: