Make all APIs restricted by default

I think a better approach is to specify which group of routes should be protected. Refer to a past topic of mine, though I don’t think a feature request is open: