You can assign permissions to a field level. I have absolutely no clue what the SQL is for that, but I know it can be done. Maybe do it in PMA or SQLYog an see what the resultant SQL is.
However, when I login as user@localhost, and do a select * from db.table, it shows the whole table's data.
Does SELECT User() confirm you're using the right account?
With an account with sufficient privileges try SHOW GRANTS FOR 'user'@'localhost'. What does it return?