Invoking a custom Apex REST Web service method always uses system context. Consequently, the current user's credentials are not used, and any user who has access to these methods can use their full power, regardless of permissions, field-level security, or sharing rules. Developers who expose methods using the Apex REST annotations should therefore take care that they are not inadvertently exposing any sensitive data.
Apex class methods that are exposed through the Apex REST API don't enforce object permissions and field-level security by default. To enforce object or field-level security while using SOQL SELECT statements in Apex, use the WITH SECURITY_ENFORCED clause. You can strip user-inaccessible fields from query and subquery results, or remove inaccessible sObject fields before DML operations, by using the Security.stripInaccessible method. You can also use the appropriate object or field describe result methods to check the current user’s access level on the objects and fields that the Apex REST API method is accessing. See DescribeSObjectResult Class and DescribeFieldResult Class.
Also, sharing rules (record-level access) are enforced only when declaring a class with the with sharing keyword. This requirement applies to all Apex classes, including to classes that are exposed through Apex REST API. To enforce sharing rules for Apex REST API methods, declare the class that contains these methods with the with sharing keyword. See Using the with sharing or without sharing Keywords.