Actually, If you can access /wp-json/wp/v2/users redirect and no information sensitive(email,...)-->That is not a vulnerability

If you can't access /wp-json/wp/v2/users but you can bypass 403 with this /wp-json/?rest_route=/wp/v2/users/ --> That is a vulnerability