You can restrict users to config private by applying this user class to them. It is basically all permissions but normal commit.
set system login class PrivateConfig permissions all
set system login class PrivateConfig allow-commands "configure private"
set system login class PrivateConfig deny-commands configure
I have deployed this in our network for the same purpose, a configuration software system is active so keeping each person private is required to prevent unwanted config commits.