If a user is logged into your WordPress installation then REST API endpoints will function as normal… if not, the endpoints will throw an authentication error when accessed.
If there are specific endpoints or namespaces that you would like to enable for your site visitors – for example, plugins or themes will register a custom namespace for the endpoints they create – you can use the plugin’s Settings screen to whitelist the features you would like to allow anonymous calls to.
Hope that helps!
Does it mean that plugins/themes/wpcore can use REST API? Only external requests are restricted?
One note about internal requests:
If your plugin/theme using rest_do_request, there is a chance JSON REST API blocks it.
In this case, your plugin/theme needs to log a user in.
Maybe wp_set_current_user would helps.
