In Flowgear, permissions are managed at the Site level. So for example, if a user has been granted Site Manager rights, they have a less privileged account than another user with Site Administrator rights but they will still be able to access all Workflows.
There are three ways to grant access only to specific Workflows for specific users:
Use a separate Site to partition Workflows
Consider moving a subset of your Workflows to a separate Site and granting end-users access to only that Site. If there are other sub-Workflows in your main Site that are needed by these end-user Workflows, you can call them via API (see API and Web Request).
Use the Task Starter Security Group
If an end-user only needs to access one or two Workflows, consider setting their security group to
Task Starter (see Security Groups) and then providing them with deep-links directly to the Run Now Pane of each of their required Workflows. To find the deep-link, navigate to the Workflow in the Console and copy the URL from the browser URL bar.
Users assigned Task Starter roles will not be able to see a list of Workflows and therefore will not be able to start another Workflow unless they know it's ID.
Invoke Workflows via API
If you have a line of business app that provides a front-end suitable for certain end-users, consider publishing the Workflows as API's and then calling them directly from the line of business app. See API for more on how to publish and consume Workflows as API's.