I think FilterForVisitor is what you are looking for: http://world.episerver.com/documentation/Class-library/?documentId=find/8/6941FA55
FilterForVisitor applies a filter to the query that gets sent to the web service, but it doesn't make the index any more secure. When you the server-api, you can watch the queries (through fiddler or similar tool) it is sending to the open Rest Api to query the index. It does filter out the content I don't want to expose -- but since that REST api itself is open to any user who knows how to execute a web service, they can execute the same query without the Filters applied to see the indexed information that our client doesn't want exposed.
Can an index be locked down in a way that only certain user accounts, or only certain IP Address(es) can use the web/JS API?
I believe it may be possible to lock down by IP address. Contact Episerver managed services to set it up.
Also worth bearing in mind you should never expose your Find Rest endpoint URL to the public.
agreed on the endpoint, but "Not exposing" the url is not even close to the same thing as securing it, espesially since I know this client will perform vulnerability testing that Will (and has in the past) discover all unsecured endpoints whether they are exposed or not, and so would anyone who was purposfully (maliciously) digging for information they were not supposed to access. I will follow up with managed services.