You are spot on. Security is definitely the best option here. If someone doesn’t have access from a security perspective, they cannot see it on the UI or if they use their id to get it through an API. If you hide it through some attribute on the screen, they may still be able to access the data.
Beware that if you don't assign read rights to an attribute but you do place it on a page where the user has access to, the app will hang/freeze when trying to open the page with a progress bar. You should also set the visibillity contraints on the widget based on user role to prevent this.