I think it should be disabled to not logged in users by default. Anyway, here you have the code to place in functions.php :
JSON Rest is enabled public by default, and it’s used by V5 new WP editor. You can disable it and install the Classic Editor Plugin and disable API for non locahost.
function restrict_rest_api_to_localhost() { $whitelist = [ '127.0.0.1', "::1" ]; if( ! in_array($_SERVER['REMOTE_ADDR'], $whitelist ) ){ die( 'REST API is disabled.' ); } } add_action( 'rest_api_init', 'restrict_rest_api_to_localhost', 0 );