If you don’t want to directly being constraint by the instance sizes you can abstract by those if you chose a infrastructure technology that allows you to do that. E.g. take a AWS ECS cluster. You can define multiple EC2 hosts, but the amount of RAM / CPU is defined completly flexible by the containers.
If you want to go event one step further and don’t be constraint by your own choice of the EC2 hosts, you can use something like AWS Fargate (with Kubernetes or without) where you don’t even have to define the hosts (in Azure there is something similar called Azure container instances). Instead your abstraction is the container.
Besides that, it is a little contradictory to one the one hand saw that you want to increase the security by letting every customer have their own infrastructure and on the other hand say, you care about if it is a t2.nano or t2.micro (and with this this “small” amout of money you save). Because if you want to optimize on that scale, you’ll probably be better of if you decide to put different customers to the same infrastructure (single DB e.g.) and invest more in other parts of the security topic.
Additionally the most expensive costs will be the DB anyways (if you really decide to go explicit DB server for every customer), because probably is it more realistic that you will lose a DB or something in comparison to having a data breach from one tenant to the other. So when taking a lot at RDS, if you really care about HA & data security then you need multi AZ support for HA, regular backups, automatic security patches etc.
Therefore I think there are better ways of increasing security (probably to lower costs) then completely isolating the infrastructure for every customer.