Support for field level security might have been something added after the original question, but to anyone checking this in 2025 or beyond this could be interesting to mitigate exposure to pii information:

https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html