This is Product issue, where in end user is able to create Object Structure using MXLoader. Please find below, for more information.
Using MXLoader, with user credentials and server address, on click of “Create Custom Object Structure” user is able to create a new object structure without any issues.
To restrict user performing this, we have configured Object Structure security, under MXINTOBJECT object structure, by adding Authorization Name: INTOBJECT(Object Structure application).
Using this we are successfully able to restrict the user to create Object Structures through MXLoader. As a Product perspective do you see any challenges, if we perform this
configuration. I would request you to confirm whether, it creates any issues using rest service or web service integrations.