As per comment it is hard to answer this without knowing specifics of setup.
In general there are two generic approaches to this:
-
Prevent unwanted terms from being returned by filtering
get_terms_args
or other available hooks. -
Prevent unwanted terms from being saved (or cancel them right after) by hooking somewhere in
wp_insert_post()
.
The more complex, but possibly much more flexible approach would be to extend wp_xmlrpc_server
server class so that categories served by it are checked against user permissions.