I would recommend against using visibility to keep users from seeing things – even if an attribute is not visible on the page, they can still access the attribute through the console if their userrole has read access to the attribute.
Instead, I would recommend setting up security on an entity level.