Exposing Data with Apex REST Web Service Methods
To bypass object or field-level security while using SOQL SELECT statements in Apex, you must use the WITH SYSTEM_MODE clause.
You can also use the appropriate object or field describe result methods to check the current user’s access level on the objects and fields that the Apex REST API method is accessing. See DescribeSObjectResult Class and DescribeFieldResult Class.
Sharing rules, record-level access are also enforced by default. To bypass sharing rules for Apex REST API methods, you must explicitly declare the class that contains these methods with the without sharing keyword. See Using the with sharing or without sharing Keywords.
Versioned Behavior Changes
In API version 67.0 and later, Apex runs in user context by default, which means that the current user’s object permissions and field-level security (FLS) are enforced during code execution. In API version 66.0 and earlier, system mode is the default, which means that the current user’s object permissions and FLS settings are ignored.
In API version 67.0 and later, classes without an explicit sharing declaration run in with sharing mode. In API version 66.0 and earlier, the default sharing mode of classes without an explicit sharing declaration is without sharing.