Yes, you can only call server RPCs on actors the server assigned to you. This rule can be used to prevent a broad range of hacks based on sending inputs your client is not allowed to send. I don’t know what is actually done though, except that a legal (non-hacked) game client would not send a server RPC for an actor it does not own.
I imagine even if a hacked client tries to send some invalid RPC, the server ignores it and could detect that something is wrong. This is just conjecture from my end though. Maybe someone else knows more about network security mechanisms in place.