Our organization is actively testing an ArcGIS Enterprise solution and we plan to build many federated servers to host 'user managed data' (think file geodatabases or Enterprise geodatabases that are usually part of some sort of data standard and have a fairly defined data lifecycle). The federated servers may be setup based on our organization units (think a server for each major 'office' or 'program') and we plan to setup the federated servers with Restricted Publishing to prevent staff from 1 office (or customer base) to publish in another offices environment - reference: Administer a federated server—Portal for ArcGIS (10.6) | ArcGIS Enterprise
In order for this to work the portal role privilege "publish server based layers" (portal:publisher:publishServerServices) has to be enabled for the end users to publish to the federated servers. Each of the federated servers can be configured with 'restricted publishing' to only allow users in a specific portal group to publish to that environment, however it seems that a member who is in a portal role that has the publish server-based layers privilege granted can also publish server based layers to the hosting server.
Thanks for the consideration.