We do this extensively. A field can be marked as "redacted", and then interceptors can do things like:
1. (most pertinent in this discussion) The logging framework can redact fields before emitting log entries.
2. Endpoints can redact the data unless the client explicitly requests (and is allowed to receive) unredacted data.
3. Serialization mechanisms (e.g. Gson) can be configured to redact data before serializing. (Again, probably can't always do this, but can make that the default for safety.)
It's also very straightforward to hook up as a Java annotation that does the same things.
1. (most pertinent in this discussion) The logging framework can redact fields before emitting log entries. 2. Endpoints can redact the data unless the client explicitly requests (and is allowed to receive) unredacted data. 3. Serialization mechanisms (e.g. Gson) can be configured to redact data before serializing. (Again, probably can't always do this, but can make that the default for safety.)
It's also very straightforward to hook up as a Java annotation that does the same things.