>> Is there any way I can control which endpoints my replicate users can interact with
Noop. Best you can do is set up multiple replicate servers and control tasks that way. This is very commonly done for dev vs qa vs prod. And given servers could use specific database authentication to scope which tables can be read perhaps, but for many endpoints the minimal replicate user requirements already allow it to look everywhere. Specifically most sources (which ones are of your concern) required the Replicate DB used to ready the change log - which has all data for all tables. Still, if there is no access to the base table then table object numbers and table descriptions required for parsing the CDC logs would not be accessible and those those table would be protected.
Still, You'll have to be able to trust (and audit) the task developers to select the allowed tables and target databases.
Mind you, a Replicate user/operator being allow to stop/start or even define tasks does not see the bulk of the data in general. Just errors and sometimes through the highest logging level, but that's in the task logs which will stay behind as evidence. I think the biggest risk is replicate used defining a rogue target database where they do have data access and create a task to siphon data there. Again: trust but verify (repsrv log, exportrepository reviews, audit trails, reptask logs downloadable, but not directly accessible by those users/operators.