TDE isn't meant to be an object-level access mechanism. It doesn't "protect" data from anyone who can authenticate against the database and the key store. If TDE is enabled and key store authentication is set to automatic then any user who can authenticate against the database has full access to the encrypted data, same as before TDE was enabled (thus, "transparent"). And if KS authentication is set to manual, then access is all-or-nothing. Either you specify the KS passphrase and get access to all data, or else you get no access to the DB at all. It doesn't sound like that's the use case here, although we don't have much detail yet.
TDE is meant to protect against media loss (stolen disk, server, backup tape, OS copy of DB files, etc.) and prevent access to data on disk, e.g. opening an extent in a text editor or hexdumping it.