I like to compare Lighthouse to an on-premise, one-way, cross-forest trust.
Security groups in Tenant A are granted access to RBAC Roles assigned at the subscription or RG level in Tenant B. This is a onw-way or parent-child relationship. The relationship is defined by a simple ARM template.
Admins in Tenant A manage adding and removing users from the Lighthouse groups. All Tenant B admins need to do is authorize the agreement and monitor the activity. The activity logs in Tenant B will show all actions by Tenant A down to the user level.
Tenant A manages the relationship in "My Customers" and Tenant B has "My Providers".
This reduces the need for guest accounts. It reduces the need to switch directories. There are some admin actions that require a tenant local account. For example, activating a Sentinel connector. Also, Lighthouse is currently limited to built-in admin roles. Good for day-to-day administration and solution provider access.