Hi Stanzarctah,
The reason CRM does this is because if you allow for users to assign security roles of higher privileges than they themselves have, they could assign themselves a role which would give them access to data they did not previously have access to.
If you are absolutely certain that these users are not under any circumstances allowed to see particular entities, you could give them the security permissions needed to be able to assign the appropriate security roles to other users, but have plugins running
on Retrieve and RetrieveMultiple of the appropriate records which would block those particular users from seeing the data.
This is a bit of a messy solution and certainly wouldn't be what I would advise.
If you just don't want the data to be obviously available to the users, you could hide the entities on the sitemap for those users. However they would still be able to go through advanced find to view the data.
~ Atomic Coder