Apple - Selectively disable iCloud keychain syncing for WiFi passwords

I was able to stop my MacBook from using a wifi password that should only be used on the iPhone by going into KeyChain Access -> System -> UNWANTED_WIFI_NETWORK -> Access Control and then removing airport and airportd from the list "Always allow access by these applications". Seems to be still connecting on the iPhone but not the MacBook.

I too was facing this problem and came up with a slightly more elegant workaround.

In the end, I deleted all of the relevant Wi-Fi networks from iCloud Keychain and used configuration profiles to install the network credentials on the desired devices instead.

I have written a step by step guide for those not familiar with creating and installing .mobileconfig files for OSX & iOS.

We're going to create a config profile for each SSID and password combination and install those selectively on our devices.

1. Install Apple Configurator (free) from the Mac App Store.
2. Launch Configurator, proceed past first run screens.
3. Select the Supervise tab from top toolbar of the main application window.
4. Under All Devices > Settings > Profiles, click the '+' icon to create a new profile.
5. Under the General tab, give the profile a name, I suggest the same as your first Wi-Fi SSID.
6. On the left select Wi-Fi, click Configure.
7. Enter the SSID in the SSID field. From Security Type, select Any (Personal). Enter the Wi-Fi password into the Password field.
8. Click Save.
9. Repeat steps 4-8 for your second and any other SSIDs.
10. Select each of your profiles one by one and click the share icon to export the profiles.

Now that this is done, delete your SSID settings from iCloud keychain, e.g. on your Mac go to System Preferences > Network > Wi-Fi > Advanced and forget any of the SSIDs in question by selecting their names and clicking the '-' icon. Keychain sync should forget these networks across the board, but you may need to repeat this step on your iOS devices by selecting 'Forget this network' from the SSID settings if it auto-connects undesirably. YMMV.

You are now ready to install the profiles by double clicking, or by opening from an email attachment on any iOS devices, accepting all security warnings.

Unfortunately I can offer no perfect solution however I can confirm this shortcoming in the iCloud Keychain sync. I've been able to reproduce this same behavior. Indeed a selective disabling ability in the keychain settings would do the trick. Until Apple implements functionality like that I think your options are

1. turning off wi-fi on your phone when your near that hotspot
2. turning off iCloud Keychain sync on your phone.

Because iCloud Keychain was delayed from the original release of iOS 7 I'm guessing Apple just didn't have time to implement finer grain controls on what is and isn't synced.