I have worked extensively to hide portions of my BIRT report and even have it integrated with Active Directory; however, I am unsure if BIRT filters the results on the server side (secure) or the client side (not secure). I know that the SQL is executed on the server side (the JDBC drivers are not on every client). Is the Visibility criteria applied on the server side (as I hope) or implemented in Javascript on the client? I have searched through the generated pages which are hard to read and have found no evidence of client side filtering but I would like a definitive answer.
Yes this visibility property is filtering elements on server-side, so it is secured in your case. As far as i know there is only one BIRT property acting as a sort of client-side filter: this is the "General -> display" property (block | inline | No display).
However for performance considerations, hiding an element with "visibility" property won't prevent possible datasets attached to this element from being executed: in some situations "dropping" elements by script is a better option.