Are categories protected when people access the store through the REST API?
When you use the WooCommerce Protected Categories plugin, you can restrict access to product categories so that only people with the correct login credentials and/or password can access them.
As well as preventing people from accessing the protected categories and their products directly on your WordPress site, the restrictions apply when people access your store via the REST API - for example, if an external application is retrieving the products from the WordPress MySQL database.
Products in user or role protected categories can be accessed via the REST API so long as the correct authentication is used. Password protected categories will be protected in the REST API but cannot be unlocked as this can only be done via the password form on the front end of your site.