Currently, there is an ability to create a flow that can move data between two O365 tenants which is a DLP issue.
Must - There must be the ability to block all data moves between two tenants using Flow
Good - Ability to approve either all cross tenant Flows from a user or to/from a specific tenant
Better - Ability to require admin approval for each individual cross tenant Flow created
Best - As above, but lock the Flow once approved so changes would require admin approval
Must - any and all data that moves between tenants should have full auditing and logs available in the unified audit log. No exceptions
Yes it is possible thorugh tenant restrictions refer: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions