The whole idea of content fragments is to store static content that can be Ui agnostic so it can be delivered to various channels. Now the issue with your requirement is validating user access which again forces you to right a custom layer that will call the cf api and then filters based on your requirement. This custom layer can probably be a sling filter (I am assuming all requests including the cf apis come as servlet request) or probably another custom servlet that can act as a proxy to respond back in your desired fashion. But then again I would rethink going through this route. See if the permissions are for end users there is no easy way to validate them inside aem without writing another custom adapter like I mentioned above. Understand if it's the content that is secured or if it's part of the cf that needs filtering because certain fields are not meant to be visible for users based on their roles. If it's the first one may be attaching tags to your cf model and querying based on tags probably using graphql is an option. But if it's actual content filtering custom layer becomes inevitable. In a prev project that I worked a. Similar solution is built using pages and components where ad groups are stored on each page or component properties and there is a node JS lambda on aws whose job is to filter the content. So going headless in this manner is not a bad thought, it's perfectly fine. But determine the volume of requests and caching strategy to improve response time etc and make a choice of simple tags and query using graphql or full blown solution that does the job. Hope this insights help you. Thanks
