WordPress already includes for a few versions a API that, by defect, comes active and open to all the users in way reading.
Although at first there is no an explicit problem of security in it, yes that is truth that unless it is used the API does not have much sense to leave it open since a series of consultations can be generated that do not have any sense in it.
An example to verify in question is to accede to the main page of your WordPress site and to add to the URL
/wp-json/. For example
By defect you will see information of your site in a text format (or if your navigator gives format him, of more or less comprehensible form).
In order to avoid this information leak, you can activate plugin as Disable WP REST API, that of automatic and simple form will only give access to the users who have acceded as registered to this information, and he closes it to anonymous navigation.