The browser of the user who is loading the page and requesting the content is the literal client that's performing the action, and running any Client Scripts, UI scripts, client-side UI actions, processing the UI policies and applying UI policy actions. This includes controlling whether fields are mandatory, read-only, or indeed - visible at all.
This can seem like an effective means of protecting content; for example, by hiding a field if the user doesn't have the appropriate roles. However, it's important to realize that any client-side measures can be overridden by the user. For anything which really, needs to be secured from the user seeing or modifying them, should be secured using ACLs (security rules).
Data policies are another option, and can be used as UI policies on the client. However, data policies cannot be scripted like ACLs can, so complex conditions are more difficult to implement...