The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the “edit” context was used. This requires at least contributor privileges.
1. As one user, create a new password protected post. Ensure that it is in a "published" state.
2. Login as another user with the contributor role.
3. Create a new "draft" post and add the "Latest Posts" block.
4. Visit "https://example.com/wp-json/wp/v2/posts?order=desc&orderby=date&per_page=5&context=edit&_locale=user" to expose the password protected post content.