The responses to requests made by a delegated admin should be filtered at the attribute level according to the privileges assigned to that user. This includes query results as well as other response payloads.
In cases where privileges seem to conflict remember that privileges are additive so, even for attributes, any attribute that is allowed by any privilege that matches the object should allow the attribute through the filter. If no privilege matches an attribute then it should be omitted by the filter.
This filtering should be done at the highest level possible so that this filtering has the first and last word on what gets through.