Hi there, @mrunge… the limitation with privacy rules that is documented in these threads (and a bunch of others, too) makes what you have described a bit harder than it should be.
The way to go seems to be to store the company on the records associated with that company as well as storing the company on the user. With that structure in place, it is easy to construct a privacy rule that makes sure a user can only see records that belong to their company (i.e., something like Current User's Company is This Record's Company).
