Use a unique document library for each set of unique permissions.

Since this is in the portal  and not in WSS, you won't be able to do
unique permissions on each document library. The permissions in the
portal are set at the Area level and not at the document library level.

Here is an idea that gets you part of the way there:
1) Create a temporary holding area and document library for documents
coming in from the customers. All customers will have access to add
documents to the holding area.
2) Create a permanent location and document library where the documents
will be stored. Only employees will have access to view the documents  in
the permanent location.
3) When a customer  adds a document to the temporary holding area, an
event handler on the document library mimics an employee, copies the
document into the permanent location, and then deletes the document from
the temporary holding area.

Since the document is deleted almost instantaneously, no other customers
will be able to see another customer's documents in the holding area.

Now this solution has two shortcomings:
1) It assumes that employees do not need to do any "scrubbing" or
validation of documents that come in from customers before it goes into
the portal.
2) It does not address the requirement  that login IDs be deleted or
expired after uploading the document. However, this requirement is a
little bit vague. What if a customer has multiple  documents to upload?
Or, what if they send in the wrong document, and they need to try again?
And what is the procedure for creating accounts in the first place?

I typically recommend that people keep their data (including documents)
in WSS and indexed/organized in SPS. Why wouldn't your proposed solution
work using a WSS Site rather than a SPS Area?

Well, that's true. It would work. He had specifically said "upload to
the portal", so I was going on that. But you are absolutely right.