I know there was some previous discussion on this. https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/29344 is making the default setting for D-BUSĀ REST API disabled. The D-Bus REST allows authenticated users access to privileged information that may be above their permission level.
After this commit to use phosphor-webui or D-Bus REST, you will need to set -Drest=enabled in your bbappend. Note: webui-vue uses Redfish and will not be impacted. Let me know if you have any concerns.
-Ali Ahmed