i think you can set permission per HTML view (see the .view.xml file). a file based webpart is just a wrapper around an HTML file anyway.

however, I'm not sure that would completely accomplish what you want. this would mean the user gets an ugly 'no permission' message when they try to view it, rather than just not showing. maybe some combination of these two:

- for genuine security, set permission on your HTML view, using the XML config. this means permission is actually enforced by the server, no matter what client-side code is running

- on the client, conditionalize whether you attempt to show load this webpart based on the current user's permissions. The basic permissions are available under LABKEY.Security.currentUser, which at least means you dont need to query the server to find them.