Permissions in Adaxes are granted with the help of Security Roles. Hiding the elements of the Web Interface from the users doesn’t affect their permissions to view certain object properties. If the built-in Domain User Security Role was not modified in your environment, all authenticated users effectively have the permissions to view all objects and all their property values.
To restrict the permissions to export certain property values, you have to deny the rights to view these values using Security Roles. For details, please see https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm. On step 3 of the tutorial, check the Read <Property Name> permission in the Deny column.
Please note, that even if you restrict the rights to view the value of a certain property (e.g. Member Of), users will still be able to select this property during export, but the value in the exported document will be blank.