Catalogs and the API have always had some pretty big API issues (since 1.0, most has not been touched).
As OrgAdmin, SystemAdmin, or user with the "View Published Catalogs" role:
Query for catalogs will give back ALL catalogs that an Org can see, public, private, published to that org -- if you need to know if they really belong to that org you have to load the Catalog and look what org it belongs to.
As a "normal" user:
Query the API and you will get back catalogs the user has been given access to; public or private (but only in that org unless they have the role to see more). A catalog has shared privileges with it to determine what normal users have access, and what level of access.
A BIG catalog bug:
Catalog names need to be unique across you WHOLE system, all orgs - it has been this way since 1.0. We have reported this many times, but it gets small bug fixes rather than a full review. In 1.0 and 1.5 the API would just fail with errors when trying to look items up in some cases if a duplicate catalog existed; I think in 5.1 it just forgets to send over the duplicates like you are seeing.