I've never tried this, but did you try creating group for users that does not have permissions to access sensitive data? In such case tags should be masked as well (but this is my assumption).
If this does not work, I don't know any other options. No one of privacy setting in dynatrace is user tags. Only Idea I have is creating request attribute, make tag based on request attribute (it's available in SaaS so far) and set this attribute as sensitive. In such case user tag made based on it should mask but I'm not totally sure about it. another thing is that when some purepaths are skipped because of high load, you will loose tagging for such sessions.