Yes, we are using postgres and my plan was to use separate schemas, if going the single db route.

The only thing that worried me is that one product might need SOC 2 sooner than another. I thought separate databases would give a smaller compliance surface to worry about. However, this will be my first time going through this process, so I am pretty uninformed here.

i think this is aligned with the author's choice. a separate schema is effectively a separate database (from a product eng perspective) with shared infra.