As you noted, enabling security labels restricts access to the whole object--not just attributes on the object. The profile may work to hide attribute values for certain users. To control whether users have access to the actual documents you can set up the filter as Anton suggested, or set up ACLs to control the access to them.
↧