Yes, as @Justin_Barrett mentioned above, the unfortunate news is that ANY collaborator (even read-only collaborators) have FULL ACCESS to viewing all of your data at all times — even hidden fields. Even if your collaborators are not allowed to create new views nor edit your data, they can still export all of the data from your system into an Excel spreadsheet, or duplicate your entire base for their own private usage into the future.
In essence, the way I recommend thinking about Airtable is that if you plan on making people collaborators, then Airtable should only be used with people you implicitly trust. Once you make someone a collaborator on your base (even a read-only collaborator), you don’t have any way to enforce data security with that person. You can prevent them from making changes to your data, but you can’t prevent them from seeing and/or stealing 100% of your data for their own personal usage later.
The best solution to workaround all of these security issues in Airtable is to use Stacker. Stacker fills in nearly 100% of the security holes that are in Airtable by giving you full control over your data & full control over your security permissions. Even better, Stacker allows you to conditionally show certain records to certain people, based on what records you want them to see.
Stacker is unable to fix OTHER security holes in Airtable. For example, once somebody knows the URL of one of your attachments, that attachment is ALWAYS publicly accessible to ANYONE who has that URL — even the general public. And even if you delete the attachment from Airtable, the attachment lives on for at least a year at that public URL. Stacker is unable to fix security holes such as this one, but Stacker IS able to fix the majority of security holes in Airtable.
Hope this helps!