Unfortunately, one of Airtable’s many limitations is that it doesn’t offer very much security. Airtable could be called a “low security platform”.
All collaborators, even read-only collaborators, can always view all the fields in a base, can always export all the fields & records from a base to a CSV file, and can even duplicate an entire base into their own private workspace for their own personal usage (which they can access even after they have left your organization).
Furthermore, in a related security hole, Airtable attachments are always visible at their URLs by anyone who knows the URL, even after the attachment has been deleted from Airtable, and even if the person viewing the attachment is no longer a collaborator on your base.
If you’d like certain collaborators to edit your data but shield them from viewing certain fields, you’d need to completely delete them as collaborators from your base altogether, and then sign up for a portal service like MiniExtensions.com. They would then use the MiniExtensions interface instead of the Airtable interface from that point forward.