So if the second subnet is routed to your first subnet interface, I think your best solution is to place this on another interface directly and have your tenant connect to that.
Internet ---- WAN ge-0/0/0 SRX *.*.131.198/30
ge-0/0/4 (or availabe interace) *.*.138.217/30 --- Tenant interface *.*.138.218/30 (tenant uses *.*.138.217 as default route
Place the ge-0/0/4 into the untrust zone
create an untrust to untrust allow all rule without any NAT
Proxy arp is only needed when you have a connected subnet at layer2. The routed subnets that exist behind your SRX will not need proxy arp.