We had a similar requirement, to hide few links(protected links) for an anonymous user.
Our solution was -
1. Create a Sling rewriter (LinkTransformer) to find a protected link (based on cug:repPolicy node ) and add a class(link-protected--hide) and hide link by default
2. On front end side check if a user is logged in and has access to those link then remove the class link-protected--hide
The page is always same and cached.
In your case, you can specify those links from page properties and read them directly in the header (no need to create rewriter if changes are not global) and from end based on user type remove the hidden class or add the hidden classes