It's not really possible unless you keep the WS-LP's 1-1. That is, leads are only in one Partition and can only be seen within that one WS.
Your phase "confidential information" makes me worried for you. Marketo is not PCI compliant and is not encrypted at disk level (unless you ask and pay).
other things you could do:
- block some users from seeing Opp data or Lead Database at all.
- not import confidential data
Unfortunately, if you Hide a field in Marketo, it becomes unusable in the interface, so that's not what you want either.