In the Classic UX, when we secure an attribute by placing it on the Secured sub-page, users who do not have access to the secured sub-page cannot read/write info from/into the attribute (even on the list layout). However, using the REST API, the same user account is able to read/update data from/to a field even if it is placed on a secured sub-page.
Release : 16.0.0
Secure subpages is a Classic UX view-level security feature that does not apply to the Modern UX/REST API.
In order to secure attributes in the Modern UX and the REST API, the attribute should be secured from Modern UX > Administration > Attributes > (attribute) > Secure.