I'm not sure I understand exactly what you are after. As an NSO user, you don't really issue any NETCONF get requests towards Juniper devices. NSO does that. So do you want to prevent NSO from ever configuring this device? If so, I guess you should give NSO device credentials that are only for reading. Or you could use NSO NACM rules to prevent some or all users from ever writing to the devices/device[name='yourdevice'], and also preventing them from running /devices/sync-to and /devices/device[name='yourdevice']/sync-to
In case I'm missing the point here, please explain what you had in mind.