As per comment it is hard to answer this without knowing specifics of setup.
In general there are two generic approaches to this:
-
Prevent unwanted terms from being returned by filtering
get_terms_argsor other available hooks. -
Prevent unwanted terms from being saved (or cancel them right after) by hooking somewhere in
wp_insert_post().
The more complex, but possibly much more flexible approach would be to extend wp_xmlrpc_server server class so that categories served by it are checked against user permissions.