I don’t think it is a security issue when interface items are hidden using css, as long you have the data secured. Also hiding like Teodor suggest would prevent the user from seeing the DOM elements with devtools, but it is still in the HTML source. If you really want to hide the content within the source then you have to do that server-side.
It is true that the could edit the css to make it visible, but if the resource where it links to is protected it doesn’t matter, make sure you prevent access to the pages and server actions that are restricted.