Use import filter to specify the subset of server side documents that you want imported by Sync Gateway and processed for sync to mobile clients. Only documents imported by Sync Gateway will be available for sync to the mobile clients. More on shared bucket access and import processing discussed here.
Leverage Sync Gateway channels to segregate data and enforce access control on a per user basis. If there are private documents associated with each user, then create a channel per user. If you have common documents shared across users, create a shared channel or just put documents in the public channel. In your sync gateway sync function, assign documents to channels based on suitable criteria.