This is probably a messy long-way-around, but:
If this person works on confidential projects quite a bit, what if you created a separate user login for her and her own "pocket universe" to work in via controlling everyone's access to items created under that login, similar to how others have separate departments in Workfront that are isolated from each other.
This will make reporting and other functions more tedious if these confidential projects have to be reported on alongside the non-confidential projects.
We've done this with other systems (like Box) which don't have robust ways to cordon-off content and such isolation is required at a Legal or Regulatory level. Or when other departments have joined our WF instance but aren't part of our workstream and/or "just want to use the proofing module."