REST calls can be secure. If you set the user role for the microflow that retrieves the objects only users with that role are able to call this REST procedure. See also the documentation here: https://docs.mendix.com/refguide/published-rest-service#1-introduction
Regards,
Ronald