This is just database connection security no? You don't need separate databases, just use your database accounts.
All the cognos tools (fm, reports, datasets) are going to use the permissions of the database account you use in the datasource to connect to the database, so create an account for the datasource that cannot access those fields/tables in your database and use that for your building your datasource. You won't be able to report on them but the cognos admins won't be able to access them either.
You can even create a separate datasource and fm model for your cleared administrators so only they can report off that data, or any similar combination you could otherwise do with database security.