WordPress Public APIs (REST/XMLRPC/GraphQL?) Should be Protected When Privacy Mode is Turned On

[timnolte]

Describe the bug
Currently when the Privacy mode is turned on to put the entire site behind OIDC authentication this only protects standard web requests. Currently, the REST(and presumably others) endpoints are still publicly exposed.

To Reproduce
Steps to reproduce the behavior:

1. Turn on "Enforce Privacy" in the plugin settings.
2. Access /wp-json/wp/v2/posts
3. Confirm that the content is loaded without any access restrictions.

Expected behavior
The API endpoints should return a 403 forbidden when a user isn't authenticated already via the IDP.

Isolating the problem (mark completed items with an [x]):

• I have deactivated other plugins and confirmed this bug occurs when only this plugin is active.
• This bug happens with a default WordPress theme active.
• I can reproduce this bug consistently using the steps above.

WordPress Environment

• Plugin Version: All versions
• Identity Provider: Any
• Relevant Plugin Settings: "Enforce Privacy" enabled