Brad Jorsch (Anomie) writes:
https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions comes to mind here.
Thank you, Brad. That page is a great resource. In my case, my "restricted" wiki passes all tests on that page except the API access. Mainly because users can't edit (and therefore no editing tricks will access hidden features), we're not attempting to hide content (just old versions), and special pages are easy to blacklist via hook.
I should mention this isn't a high-security site. I'm just removing features that don't fit the purpose of the site. If people see more than they should, it's no big deal.
You might try to hack something up by blacklisting certain API modules with ApiCheckCanExecute and the like, but such things aren't really supported.
Thanks for the tip and the warning!
DanB