I would like to put some kind of permission on the roadmap similar to the no-monitoring/contacts in the monitoring module to allow restricted icingaweb2-users to see notification-contact-names but not the target (e.g. Pager or Email field).

In older versions restricted users were allowed to see the contact-name, but when they opened the view in /icingaweb2/monitoring/show/contact?contact_name= they received a "no permission" response, which imho is a good option from a GDPR-perspective.
Starting with icingaweb2-v2.8.0 (I believe) the behavior in the module changed.