You have four options and none of them is going to be fun.
1) If you are using the reflection provider handle the security at the root query. If it needs to be dynamic you will probably end up using ExpressionTrees to do the projection.
2) Create a custom data service provider - http://blogs.msdn.com/b/alexj/archive/2010/01/07/data-service-providers-getting-started.aspx If you are using Entity Framework you will need to also modify the expression tree and remove all their null projections they add when using a custom provider. This isn't for the faint of heart.
3) Intercept the IQueryable and using an ExpressionVisitor remove or replace any properties that shouldn't be projected. For example of how to intercept the query you can see what you need to do wrap IQueryable here http://blogs.msdn.com/b/vitek/archive/2012/01/07/projections-in-custom-providers-simple-solution.aspx. There was a Microsoft blog on how to intercept IQueryable and replace all the constants with properties so EF would send parameters that was good but I can't find it right now.
4) Switch from WCF Data Services over to Web API where you have more control. From this blog is what they are recommending anyways http://blogs.msdn.com/b/odatateam/archive/2014/03/27/future-direction-of-wcf-data-services.aspx
That's if you just want to do it for the read in crud. Besides #2 that doesn't really touch the create, update and delete part of CRUD.
- Update For option #3 you can read how to do it on my blog http://code.msdn.microsoft.com/Entity-Framework-a958cffb/sourcecode?fileId=95130&pathId=263687793