In theory the information that you can get this way is public and an attacker can derive it from the public HTML, but no reason to make it easier, and some times it includes information which is not available in the HTML.
Restricting access to authenticated users is probably not enough for sites which allow unsolicited user registretion, but it is a first step.
Actually the wp-json related code has a definition of authenticated user which is stricker than the "normal" one and requires usage of valid nonce in addition to the credentials, therefor that specific page is not going to be very useful to anyone trying to learn the site's schema from it.
What is left on the page is very generic information about the site and the end point for application passwords.
In theory the information that you can get this way is public and an attacker can derive it from the public HTML, but no reason to make it easier, and some times it includes information which is not available in the HTML.
Restricting access to authenticated users is probably not enough for sites which allow unsolicited user registretion, but it is a first step.
Actually the wp-json related code has a definition of authenticated user which is stricker than the "normal" one and requires usage of valid nonce in addition to the credentials, therefor that specific page is not going to be very useful to anyone trying to learn the site's schema from it.
What is left on the page is very generic information about the site and the end point for application passwords.