Say I have a friend that wants to host a website, but they don't want to pay for a domain. But their website has a backend so it can't just use one of the many free static site hosting services. I already own a domain so I offer to create a subdomain at friend.mydomain that provides access to their website for them. Even though they are my friend I don't want them to have access to my website. What are all the security issues that this could cause and how would I solve them if possible?

Things I'm worrying about

1. Could friend.mydomain read the cookies of mydomain ?
2. Could mydomain read the cookies of friend.mydomain ?
3. I have other subdomains that are part of my website. Would friend.mydomain and me.mydomain be able to access each others cookies?
4. For all questions 1-3 I ask the same but instead of accessing each others cookies could they access each others DOMs
   a) read access?
   b) write access?
   c) if an iframe of one is embedded into the other?
   d) if one used window.open() to create a new window to the other?
5. Potentially send malicious requests to each other through postMessage?

What of these do I need to be concerned about? Are they solvable? Are there other potential security holes I haven't thought of?