I still think that collections would be more flexible as you can extend the user fields as you need (e.g. multiple roles, address, etc…), the intent of cockpit users is just to manage the CMS.
You can put inside a bootstrap.php file in an addon (e.g. /addons/users/bootstrap.php), a more complete example can be:
<?php
if (COCKPIT_API_REQUEST) {
$app->on('cockpit.accounts.save', function (&$data, $update) {
// Any additional logic you may require (check if request is from the api, etc..)
if (in_array($data['group'], ['admin', 'other admin groups'])) {
unset($data['group']);
}
});
}