Apply the run-time filter conditions on top of the security privilege to filter/remove/hide the entity records.
Create a plugin which will trigger on pre (stage) of retrievemultiple (plugin message) of the entity.
Context will return you the Query object which will have entity name and the Query expression details. you can append your filter conditions to query expression to filter the records for the entity.
Below please find the complete Plugin code.
It will trigger on load of every CRM view, so always check the entity name in the plugin and apply the appropriate logic.