If you want to prevent users from writing to/reading from a specific location on the server, you either have to restrict them from using the relevant code elements (impractical, as these are needed for eg import/export tasks), or you have to make sure that those locations are made secure on the operating system level.
Library permissions can be handled in SAS metadata, but in order to make them "stick" you need to define those libraries as "metadata bound". Otherwise executing a simple libname can always undercut the metadata, unless you also restrict permissions on the OS level (see above).
My preferred path is to use the proper permissions in the operating system. If a user does not have read/execute permissions on the directory of a library, a libname for that directory will fail, and the library will not appear in the server list.
Note that relying on third-party tools (SAS in this case) to keep your operating system safe is foolish at best. Use the tools provided by the system itself (see Maxims 14 & 15).