With restapi, @vocabularies endpoint is protected with "plone.restapi: Access Plone vocabularies" permission, and anonymous are not allowed to access to it.
Are there some bad side-effects to expose that endpoint also to anonymous? We usually need them to populate some selects fields in search views.
The alternative is to create each time several specialized endpoints to expose needed data.
I think there's no general answer for this... you might have a vocab with really sensitive data. Who knows, right? Including a list of usernames, I think? So I guess it was done to be "secure by default". I think that's fine (although I argue that the Editor/Contributor roles should have that permission by default). You could grant that permission to Anonymous and override the @vocabularies endpoint that does some extra checks.
For sure usernames are exposed by a vocabolary..and that was my first thougth about security problems.
And yes, you're right: i could customize the endpoint and then manage a list of "trusted" vocabularies..thanks!