Online contributions are also automatically recorded to the Activities table. This means that a contact's contribution history can be viewed by a user who does not have "access CiviContribute" permission (and hence does not see the "Contributions" tab).
Modify Activity Selector query to check for 'access CiviContribute' permission - and exclude activities with activity type = 'Contribution' if user does not have that permission.
NOTE: This fix is narrowly focussed on contributions as they are more sensitive - and we have an explicit permission to prevent some users from viewing them. At some point, we may need to add a more general method of filtering various activity types.