Thank you for the reply! After checking out this solution, it seems to work as expected. As a user who doesn't have read access, I am unable to see the data in the sc_req_item table, I'm not seeing the data if I create a report and look at it from a list view, or if I inspect the elements on the page using the browser's dev tools. 

This does raise a couple of other questions for me though. Does this mean an ACL isn't the best path for hiding variable data on the form? Am I missing other possible "holes" in security where a user without the correct role could still find this data? Lastly, is there a way to quickly apply the roles to multiple variables on the form, or do I have to go one by one?

These are essentially the "ACLs" for variables and is the recommended way. If you are looking to restrict the whole RITM & SCTASK, and not just the variables, then use the traditional ACLs.
Make sure you do not have any email notifications that contain the variables because it will still show in the email logs, etc.

And unfortunately you'll need to go through them one by one.

I just tried this myself and it blocked the variables on the portal as well did I do something wrong?