The short answer is, you can't. The long answer is, you could with your own terminus modifications, but this would require coding knowledge.
The problem in fact is even deeper than you describe and could potentially affect any parameters, not just content. In fact there a probably a lot of cases where the file content might not be private at all, but perhaps some parameter in a resource is actually private. The user resource has a perfect example of this, and so does some resources like mysql, which might allow cleartext if the user so chooses.
This is why we do things like, only allow client based SSL auth to work, and why we provide functionality such as the certificate whitelist (to only allow certain boxes to talk to PuppetDB). So at the very least you can lock down the service to only trusted sources.
In regards to tickets, we do have some users who have requested the ability to control the ACL's so that users have fine grained access to their data ( https://tickets.puppetlabs.com/browse... ) but we lack a ticket that covers filtering information before it gets into PuppetDB. I think if you wanted to raise one that would be a good idea.
If this is something urgent, then you could always modify the terminus code yourself: https://github.com/puppetlabs/puppetd... and force the fields you want to be removed before submission. Making a proper patch that is merge-worthy however would require a bit of work.