Tom,
Off the top of my head, adding a "context" to each attribute might solve your problem. This would work if each application used it's own tcl procedures to generate the form. Context would be an application specific definition of when to show an attribute. So an application would determine the context based on permissions, or any other data, then pass this into the code that generates the form, which would compare that to the context set for each attribute.
We could default to NULL which would mean always show, and if context is not specified when geneating a form, show all attributes.
Anyway, something like this would probably work.