Yes, the BlockValidation policy is the key element to protect.  And, we should probably change the default away from 'ANY Writers' to something more specific -- but any such changes create pains for existing users so need to be weighed carefully.

As the SO post mentions, it's possible to do things securely, it's just trickier, especially given some of the legacy concerns.  If you are using node OUs, the whole thing becomes much easier to accomplish safely, but, operationally dealing with having two copies of the same MSP definition can be a bit tricky.  You'll have to do updates keeping them completely in sync.

I'd still suggest sticking to separate organizations, even if they share the same CA.  You can use a common CA but distinguish MSP definition by setting an OU for that MSP which must be satisfied.  This is similar to, but different from NodeOUs.  Where NodeOUs differentiate the role of an identity based on the OU, setting OUs for the MSP overall will require for any identity to be valid, the certificate must contain some OU authorized by the MSP.  This can be especially useful when an organization wishes to use public CA infrastructure which might even be shared across organizations.

Thanks,
~Jason