I'm doing something kind of similar - setting up multiple Islandora sites for separate namespaces within the same Fedora repository. To do this, I had to tell Islandora to limit its namespaces (in Islandora config) and tell Solr to limit its namespaces (in Solr config 7.x).
But then even someone who was logged in as admin couldn't breach the namespace partition from within one Islandora. I'm not sure if this is what you meant by "back-end" or if you want the admin stuff to only be visible through the Fedora interface... in the first case, read on.
What else I've done is made a "Private" collection that's only accessible to logged in Drupal users. I used the XACML module to define which groups of Drupal users could view these, which thanks to XACML module magic writes to RELS-EXT, which (through a modified foxml-to-solr) gets indexed to the solr fields rels.isVisibleToUser and rels.isVisibleToRole, which go into the XACML configuration, so *bam* all solr queries through Islandora are filtered by what the current user/role can see. l'm not sure how this plays out when you do a RI query (e.g. listing the contents of a collection) so you might want to keep your admin-only Fedora objects in a separate collection or an orphan collection or no collection.