Capim all user information is visible except for passwords. However, the concern is that users' email addresses are also publicly accessible, which poses a privacy risk.
This is not normal behavior (when not logged as an admin user). Please share your list of extensions, there's probably one misbehaving if you see emails as guest.
The GET /api/users endpoint has a corresponding permission in the admin panel if you don't want non-admins to be able to list users. Note that it will also prevent auto-filling mentions.
Unfortunately because Flarum user IDs are sequential, it will always be possible for a bad actor to enumerate the list of users. If that's a concern to you, you'd need to create an extension that changes the user ID to something non-sequential.
At the same time, extensions should make sure they only reveal information in the user API payload if the actor has the necessary permissions. For example if the bio text is only readable by logged in members, then guests shouldn't see it when querying the API.
