Have been trying to limit the ability to export the CSV list to just a specific role and the creator of the event. However, it seems that the decision on whether to show the export CSV option or not is taken by 

function rsvp_csv_hash_form_access($connector, $rsvp, $invite_target)

which in turn decides based on visible guestlist access and visible attendees access - i.e. the more general rules used for visibility of guest lists on the side itself.

Is there a way to achieve different behavior for just the CSV aspect that is more restrictive? Or would that take separate permission logic?