I would suggest to copy the informations you need (and only those informations) to a separate entity, like eg. Person, which has a 1:1 assoc. to your accounts and expose those objects with an respective access concept.
As Rene van Hofwegen already said, your current solution is imho a huge security risk, as the interface user is allowed to manage all users in the system and could therefore also delete or modify them.
Is the account you’re using to access the data an administrator in the System module?
A short update and answer for anyone who might have gotten the same issue. We have solved this by checking the "All” flag for the “Users with this user role can manage users with at most the following user roles:” setting in the User Role settings of the project security settings.
Apparently there is a hidden feature that makes it possible for users with this user role and setting enabled, to see all System.User data and be able to retrieve this information for, for example, OData streams.
Setting both the System and Administration module roles for this user to “User” works just fine. No need to set them to “Administrator” it seems.