--------------------------------------------------
Add the following code to functions.php (anyone)
--------------------------------------------------


if( ! is_user_logged_in() ) {
remove_action('rest_api_init', 'create_initial_rest_routes', 99);
}


-----------------------------------
OR
-----------------------------------


remove_action('rest_api_init', 'create_initial_rest_routes', 99);

------------------------------------------
Check if your site's username is exposed
------------------------------------------
website-URL.com/wp-json/wp/v1/users
website-URL.com/wp-json/wp/v2/users
website-URL.com/wp-json/