As discussed previously in this chapter, with SharePoint classic architecture, this question may be answered by creating site collections per business unit, locality, or other business-specific concepts. You may create a collection with a large scope such as a region (US, Europe, or Asia), and then create sites inside those site collections for business units, products, departments, or agencies. 

The SharePoint modern architecture works similarly—but instead of creating rigid site structures, you can create a flat site architecture, designate hubs, and then associate sites with those hubs. If it turns out that the structure doesn't make sense or needs to be reorganized, it's a few simple clicks to update the hub site associations. Since each site is its own security boundary, you're able to move sites to new hubs without accidentally compromising access controls.

Access to classic site collections is managed using the Site Permissions control for the collection, and by default, sites and subsites inherit the permissions settings of their parent sites. This is the direct opposite of the modern SharePoint permissions experience, where access to each site is governed by its own unique site permissions (typically specified when the site is created). Since the modern SharePoint experience works on an opt-in basis (that is, site owners or creators must choose their members), it is less likely that a member will get access to content that they shouldn't.