For simple cases with one-off properties we just set the property to null if it shouldn't be visible. We also have configured out JSON serializer to not return null objects. Hence the property isn't sent back to clients that shouldn't see it. For this to make sense though we actually have a nested object that contains the sensitive data and hide the entire object. Note that if the property name itself isn't sensitive then just sending it back as null would be fine as well.
An alternative approach is to create a derived type that has the additional properties added. Then when you create your model to be returned you create one vs the other. This complicates the creation as you also need to convert your data to the model and know when it is one vs the other but it is doable. This is actually where models (not using business/data objects) comes in handy actually.
To make this more generally reusable I would probably consider creating a custom attribute that can be applied on properties based upon the "role" of the user. Note that there is already a Role
attribute but I'm not sure you want to use it here. Irrelevant you could attribute the property(ies) that shouldn't be included. You then would need to create a custom type converter for the JSON serializer that takes the user roles and the type and doesn't write properties that it shouldn't.
Finally note that if the data is too different then you might consider creating a separate endpoint for the specialized data instead. This would greatly simplify things and avoid confusion and potential for someone accidentally exposing data they shouldn't.