We have macros that could reveal particularly sensitive information (e.g., email address) that we use for administration and the ability to 'call them' currently has no restrictions on them.

Even though they can be 'hidden' from non-administrators in the macro browser, they can still be called by them if they know the name of the macro. Thus a client user, who has the ability to only post comments, can call them simply by typing them into a comment box. Of course, this would require them to know what they're called but if they find out then they could have access to particularly sensitive information.

There should be a permission about who can 'call' some macros. If an administrator, or someone with sufficient privileges, has added them to a page then they should remain and be editable by those who can edit the page but calling new instances of them shouldn't be allowed.