As this seems to be a topic affecting multiple packages and especially both Plone backend usage of vocabularies and Plone REST API exposure of vocabularies: this post.
I propose to establish an abstraction layer for registering and quering vocabularies.
Vocabularies are utilities. The question came up, why utilities cannot be registered protected.
See response of @dieter to my question on Zope utilities: locationless utilities and permissions Register protected utility (Register protected vocabulary) · Issue #65 · zopefoundation/zope.component · GitHub
The point is: queryUtility fetches a vocabulary without a permission check, as it cannot. So: Do we add permission checks in plone.restapi and plone.app.content (or plone.app.vocabularies) or is a vocabulary registry a hot thing that can be requested for a vocabulary and this registry cares for a security check?
A starting point could be something like zope.vocabularyregistry/src/zope/vocabularyregistry at master · zopefoundation/zope.vocabularyregistry · GitHub does. Add a permission check and done.