What you wrote is all well documented in:
https://developer.apple.com/library/prerelease/ios/documentation/DataManagement/Conceptual/CloudKitQuickStart/EnablingiCloudandConfiguringCloudKit/EnablingiCloudandConfiguringCloudKit.html#//apple_ref/doc/uid/TP40014987-CH2-SW1
"An app has access to both a public and private database in each container. The public database is for storing user and app data that is shared between all instances of the app. By default, all users can read the public database, but they need to enter iCloud credentials to write to the public database. There’s a private database for each user of your app, but the app only has access to the private database of the current user. The user has to enter iCloud credentials for the app to read and write to the private database."
Other than that, the key question you asked was regarding subscriptions "......there seems to be no direct way to set which users actually receive them."
You are now confirming my original post above:
"Subscriptions are regostered(sic) on an iCloud Account - by - iCloud Account basis. When I register a subscription my iPhone and my iPad both get notified when a change is made but no one else's device gets the notification. And if the change was made by my iPad then only my iPhone will get the notification."
Regarding your desire to limit the notificatications to a subset of devices logged into the same iCloud Account - the user can go to Settings>The App>Notifications>Allow Notifications and turn that off (or limit the types of notifications). You can do that programmatically using:
[[UIApplication sharedApplication] registerUserNotificationSettings:notificationSettings];
[[UIApplication sharedApplication] registerForRemoteNotifications];