I’ve created several service models and annotated them as hidden for group “full” (to be hidden from netconf, not only in CLI)

  tailf:annotate "/if-int:internal-interfaces" {
    tailf:hidden "full";
  }

and have added the group to config:

  <hideGroup>
    <name>full</name>
  </hideGroup>

If I do in CLI unhide full it shows me the interfaces list.
But I also want to have a similar option for the NetConf queries.
Is it feasible or I should use AAA to permit/restrict access to the nodes via NetConf?

Thank you.

Unhiding a tailf:hidden full statement is not supported. The reason is that you would confuse machine-to-machine communication clients like a NETCONF or RESTCONF client. How would they understand that you did an unhide and there is now all of a sudden more configuration available? For such clients, the client and server agree on one or more YANG models that they map to the NETCONF/RESTCONF protocol. tailf:hidden is intended to serve human-to-machine interfaces.

The problem you are trying to solve seems to be when you have config data that can also be non-config, i.e. operational state data too.
The solution for such data is described by RFC 8342 Network Management Datastore Architecture (NMDA) and in your case together with RFC 8343 A YANG Data Model for Interface Management + RFC 8342 A YANG Data Model for IP Management etc. When your server changes such data, you change it in the logical operational state datastore. The client changes the config in the running datastore / intended configuration logical datastore. You never touch the config that the client manages.

See examples.confd/nmda and the UG for info on how NMDA is implemented with ConfD