Given the keys,values pattern in all the internal methods, a simple way would be to expose a sbot.format({keys,value,private}) method, and strongly recommend that plugins exposing streams use it. It would then enforce that no private data is returned, unless explicitly asked for (private=true) then, using muxrpc's auth stuff, it can just check that {private:true} is never passed to sbot unless it's an authorized connection.