The REST API has no parameters, options to solve this – in my opinion. But you should register only if the users have the capability in his role, like the follow example.
add_action( 'rest_api_init', function() {
// Exit, if the logged in user have not enough rights.
if ( ! current_user_can( 'edit_posts' ) ) {
return;
}
// Register Meta Data.
register_meta( 'post', 'foo', array(
'show_in_rest' => true,
));
});
That’s fire the custom data in the REST API only, if the user have enough rights, capabilities in his role. My register_meta() is only an example, that should also work with your additional parameter for register_post_type, like $wp_post_types[ 'cpt' ]->show_in_rest = true;.