Hello,
the most common approach to do what you want to do is to encrypt your content before putting it on the IPFS network (see Textile.io and their blog posts explaining how they do these things), and giving the keys to whoever needs them.
Hiding the “hash” (CID) from anyone does not prevent discovery or download from 3rd parties as every CID is published to the global DHT which can be easily sniffed. If you would not publish it, then other people would not be able to find that your node provides it. If you directly point them to your node, then this might work but I would not count on this as a way of protecting data since your node will be connected to many places by default.
IPFS Cluster is of not help here. It can’t move content from a private network daemon to a public network daemon. Not that there is no “privatization” of content once it’s been on the public network. As soon as someone else downloads it it will live on the network, until all copies are gone at least.