Agree. Only include attributes if they can be defined. 

We customised our profile report to remove revenue information, as not all our users have this level of access, but the report was showing it.

Some of our attributes are confidential.

It would be great if there was a configuration tool (may via system roles) that determines who can see which type of information in the report.

Good idea. If this is to be implemented, will we be able to determine, which attributes are shown?