Once Gainsight supports access permissions for GS users at account level then access to specific account (based on attributes) could be enabled / disabled for any GS user. The same permissions will be valid & applied both on Gainsight UI and through Sally for the GS users.
For the use case you mentioned, I suppose the customer requested to hide data in general and not just through bot requests. In that case, I believe the above behaviour will suffice.
We have given the provision to access Sally on Slack channels to enable collaboration among users. If sharing confidential information on channels is a concern then Sally shouldn't be added to channels (can always be kicked out if already added) and can be accessed only through Direct Messages.
Please let me know in case you have any follow up questions!