Using this module for json api authentication I've found that when I block the user, I can still retrieve data using the credentials of such user.
Turn on jsonapi, turn on this module, turn on basic authentication.
Create a node. Use postman to retrieve the data.
Check if user is blocked somewhere around https://git.drupalcode.org/project/rest_api_authentication/-/blob/8.x-1....
Active
2.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.