In federated recommendation systems, user embeddings risk leaking sensitive attributes, rendering them vulnerable to attribute inference attacks. To address this privacy threat, we propose FedAU2—a novel framework integrating adaptive adversarial training with a dual-randomized variational autoencoder (DR-VAE). Adaptive adversarial training dynamically accommodates user-level data heterogeneity to enhance robustness against inference attacks, while DR-VAE suppresses sensitive attribute leakage at the gradient level via dual randomization of latent variables and gradient perturbation. Unlike existing approaches, FedAU2 achieves superior attribute forgetting without compromising recommendation accuracy. Extensive experiments on three real-world datasets demonstrate that FedAU2 significantly outperforms state-of-the-art baselines: it reduces attribute inference accuracy by a larger margin while maintaining higher retention rates of key recommendation metrics—namely, NDCG and Recall.

Federated Recommender Systems (FedRecs) leverage federated learning to protect user privacy by retaining data locally. However, user embeddings in FedRecs often encode sensitive attribute information, rendering them vulnerable to attribute inference attacks. Attribute unlearning has emerged as a promising approach to mitigate this issue. In this paper, we focus on user-level FedRecs, which is a more practical yet challenging setting compared to group-level FedRecs. Adversarial training emerges as the most feasible approach within this context. We identify two key challenges in implementing adversarial training-based attribute unlearning for user-level FedRecs: i) mitigating training instability caused by user data heterogeneity, and ii) preventing attribute information leakage through gradients. To address these challenges, we propose FedAU2, an attribute unlearning method for user-level FedRecs. For CH1, we propose an adaptive adversarial training strategy, where the training dynamics are adjusted in response to local optimization behavior. For CH2, we propose a dual-stochastic variational autoencoder to perturb the adversarial model, effectively preventing gradient-based information leakage. Extensive experiments on three real-world datasets demonstrate that our proposed FedAU2 achieves superior performance in unlearning effectiveness and recommendation performance compared to existing baselines.