Then again, what if the auditor was from a government agency? It might not be so easy to tell a government agency what tables they can and cannot look at...
That is a main purpose for table views, which allow the user to see some data (columns) in a table, while others are not viewable. Email and password hash would seem to be excellent candidates for exclusion to an auditor.