How do we allow individual business units to only access data related to their environment when they log in to the system?
The Roles in Splunk can allow access to a few, or many indexes. Isolating data sources based upon data center, business unit, or other categories will be easy at the beginning, but will become complex as the environment grows and changes. In general, the best idea is to aggregate similar data sources into a single index, unless your internal security/data access restrictions will absolutely not allow it.
As to restricting searchable data, Role-based search filters are easy to implement, provide the ability to obscure data, can slow down searching if there complex or many inherited filters, and are not tough to work around if determined. They might not be secure enough for your use-case.

I understand Splunk bases its permissions on indexes, however does this get complicated due to the fact that Enterprise Security has already created three Windows-associated indexes for itself (perfmon, windows, wineventlog)?

By default, ES doesn't create Windows indexes (see here) so those have probably been created by the Windows Add-on/TA. ES isn't pre-configured to look for, or need specific index names to function. ES needs access to all indexes that have security-applicable data, the data has to be CIM compliant (configured through the appropriate add-on/TA,) and it has to have enough resources (cores, I/O, and storage) to maintain the Data Model Accelerations. As a result, you can have many, few, or one index with Windows data. As long as the ES Roles have access, the Add-on is installed, and the Data Model Accelerations are working, the Windows data will be searched by the ES app.

I think that covers the core of your question, but feel free to as a follow up if I've missed the point.