I have a datatype X, which has 10 fields. Three of which I want to keep private. Every time a datatype X is created, I run an API workflow which creates a datatype Y. It then copies/duplicates the entries from Datatype X, onto Datatype Y. But only 7 fields. The 3 private fields are left out.
Datatype X stays private forever, only accessible to the thing’s owner, locked down with Privacy Rules. While datatype Y is public. When changes are made to X, another workflow updates Y too. When info is added by the public to Y, that is relevant to X, that gets linked as well. (There is a two-way link between X and Y)
To whatever end someone could ‘hack Y’, it would never interfere with X.
May not work for what you need, but thats what works for me.
In your example, assuming you want them to be able to edit just one field on X, grant them access to that single field on X via privacy rules.
For the other stuff you want them to see, but want to be sure they can never touch - duplicate them and store them on Y…then set lax privacy rules on Y.
Thats how I make do …