In order to restrict which OUs your users have access to with Gopher for Users, the Admin Roles for Gopher for Users will need to be split into two categories; Global and Granular. This is due to the fact that some scopes which User Gopher makes use of cannot be restricted within the Admin Console to a per OU delegation.
The only Global scopes whichGopher for Users requires are the Admin API Privileges for Reading/Updating Groups and Schema management. If you wish to restrict Administrators from updating group memberships, these permissions can be set to Read only.
The remainder of the scopes can be configured on a Granular, per OU level. Of these, the required privileges are Read access to Users and OUs. All other settings can be configured to the level you wish to allow your users within this role, for the particular OU. For example, you could setup a Admin Role which only allowed access to the "Reset Password" and "Force Password Change" features of Gopher for Users.
Note: Currently, Gopher for Users does not detect the level of Admin Access granularly, and shows all columns to the end user. Any edits in columns an Admin does not have access to will cause the entire update for that user to fail.
In order for it to grant granular access, you'll need to create two roles. One that grants access to the specific OU assigned to the user and another that gives global access to permissions that can not be scoped (Groups and Schema)
From there, make the assignment to the new Administrator(s) to the OU they are granted access to. The OU only needs to be specified for the Scoped OU custom role
When a delegated Admin makes a request through Gopher for Users to Google, only the users that they have Read access will populate into the sheet. Likewise, only the OUs which they have permission to read will display in the autocomplete for the Org Unit Path.