security – How to prevent angular 2 client from accessing privileged fields

Controlling who gets to see what is the responsibility of your application, not the protocol you use to connect your front-end to your back-end.

For example if you use a RDBMS you might use the query

SELECT id, displayname, loginname FROM users;

instead of

SELECT id, displayname, loginname, passwordhash FROM users;