I know Categories have nothing to do with security, but I have this problem:
I want to allow a particular user to refresh and publish certain Corporate Documents. But I don’t want them to be able to upload other documents (maybe agnostic ones) or publishing to any category.
You can allow a user to publish documents. Not certain ones but any one. That user will only be able to publish documents to his or her specific group in Supervisor. They could assign any category to the document but that has nothing to do with who can see it. Think of the category as an attribute. It is unrelated to security.
Upload is a separate permission so you could, I think, control that independently.