For now, the workaround would have to be on your external data source side. Though we will still not have the ability to hide the system/service/operations from the site designer who has the capability of using ezEdit and define connections, it is possible to set up Pass Through or Windows Credential for the system integration connections so the external data source can verify and decline request from the credential that was sent to it.
Using SQL Server connection as an example, you could set up a system account in your SQL server and use windows credential with that account in Web Parts SI system configuration. Any user design and use the SI web part with this connection can get whatever data is allowed for that system account. For data that you want to protect from general user, you could set up accounts in SQL server with the specific grant permissions. Only user granted the permission is allowed to retrieve the data. By pairing the Web Parts credential (via Pass Through or Windows Credential) and database login accounts, you can achieve the security trimming you needed, though not the perfect way.