Hi. Sheet has two columns, A and B. Two views are created; View A has Column B hidden and is permissioned only for User A. View B has Column A hidden and is permissioned only for User B. So in this way each User can only see their own column.
How secure is this? Behind the scenes, is this achieved by sending all data to all clients but using filters applied in the client to hide certain columns? If so, is it possible for a bad actor with rights to View A but not View B, to somehow access View B data by inspecting the browser-side code? Or is View B data not sent to View A at all? Thanks in advance.
Being a spreadsheet, cells in columns and rows can cross reference via formulas. These formulas a re-evaluated on sort and filter , column/row movements etc.
So all data has to be available at the client side because the correctness of computed cells depend on the data being available immediately. The Views are not a security feature, but a productivity, data organization and convenience mechanism.
Having said that, server filtered row level permissions/access is in our roadmap as a Premium plan feature. But that would come with the advisory to avoid cross-row formulas in the Sheets where those permissions are turned on.