It is through the Assignments tab in the User Profile section that a User's specific permissions can be assigned and where you can allow a user only Read or Write access to certain parts of the system. The below image and subsequent explanation shows how this works.
If you would like the User to have visibility of everything in the system, except for Confidential Projects, then set the toggle next to Read Assignments to "Everything". Allowing users to see as much information as possible is good for collaboration and helps the system to work properly. If, however, you want to restrict a certain user's access, slide the toggle to "Restricted" and then select the individual Projects and Departments you would like the user to be able to see.
NOTE: For both Read and Write Assignments, you must have at least one Department and Project selected in each dropdown. If you want to assign a user access to all Tasks within the Project "Project1", then the Project dropdown must have that selected and the Department dropdown must have "All" selected. If, however, you want to restrict access to just Department1's Tasks within Project1, then you must select those in their respective dropdowns. This user would not then have access to any other Department's tasks in that Project, nor would it have access to that Department's tasks in any other Project.
Write assignments designate the context in which a user can add or edit Tasks and Task Groups. If you need a user to be able to report on progress for certain parts of the system, that must be allowed for here. Write assignments work in the same way as Read assignments in that you select the Project and Department context you wish to provide access to, or select "Everything" if you want them to be able to edit everything except Confidential Projects.
Checking this role will allow a user to make changes to Tasks and add dependencies in the Gantt Chart, but only within the Project/Department context set in the Write assignments just above.
Checking this role allows a user to delete Tasks and Task Groups, as well as add and edit Projects, again only within the Project/Department context set in the Write assignments. Only System Administrators can delete Projects.
If your system has any Confidential Projects, you can assign access to those here. Not even Admin users have access to these by default. Access to Confidential Projects allows Read and Write access (but does not designate any access to other parts of the system).