Read-restricted streams do not use on-chain data, they use off-chain data. On the chain there is only a salted hash, which can be used to confirm the underlying data is valid but not to reproduce that data. The data itself is delivered separately over the peer-to-peer network, encrypted end-to-end in transit, and only delivered to nodes that can prove they have stream read permissions by signing their request.
For more information about off-chain stream data and its implementation on MultiChain, please see this blog post:
The first three parts of the 'So what’s next?' section near the end talks about some MultiChain Enterprise features.