What, precisely, do you want them to be able to see?
What, precisely, do you NOT want them to be able to see?
A user role can be restricted in what it can look at. One of the easiest ways is by restricting the user's search to a particular index. If the sensitive data is not in the index and the model, then the user can't look at it.
You can also use apps to limit the precise searches that your users can perform.
On the other hand, if you want your users to be able to create ad hoc searches based on a field, but do NOT want them to be able to see that field, that's a bit more problematic.
In my case, I litterally want the users to only be able to search using data models, i.e. use pivot to search.
I do not want them to be able to use regular search without pivot.
I know I can restrict access to data using indexes, I already make heavy use of that method. In my organization I would like to create several classes of user, based on the capabilities rather than the data access rights of those users.
a knowledge manager user class, which corresponds with the power role
a business intelligence/it proffesional user class, which corresponds mostly with the user role
a business user class which corresponds with the role I would like to be able to only search using pivot