Yes you can by using the "Cy_Prot_ConfigBusMaster" API and passing the 'secure' parameter as true for "busMaster = CPUSS_MS_ID_CM4".
It may appear that anybody can change this setting i.e. a rogue firmware running in CM4 can claim itself in Secure access mode. However, this is possible only if you have not configured the access restrictions to the MS_CTL registers. In a secure system, typically the write access to the MS_CTL register is controlled and limited to a single master (say CM0+) with protection context 0. As a result, only a proper firmware (most likely defined in a secure area by the user) running with proper access restrictions can change/update these settings - typically this would be part of OS schedulers (which runs with privileged access), which depending on the task change the access restrictions.
We will soon have an application note detailing these principles.
Meenakshi Sundaram R