The local mechanism needs to be attempted so that we know it will not work when it fails and then we can move onto the next authentication mechanism in the list.
If a client is always going to be remote from the server then the SASL_DISALLOWED_MECHANISMS is the correct way to disable this for that client, if all clients will be remote from the server remove the <local /> element from the ApplicationRealm and it will be disabled for all clients.