WordPress 4.7.1 REST API still exposing users

I have upgraded my WordPress to 4.7.1, and after that I’ve tried to enumerate users through REST API, which should be fixed, but I was able to retrieve users.

https://mywebsite.com/wp-json/wp/v2/users

Output:

[{"id":1,"name":"admin","url":"","description":"","link":"https:\/\/mywebsite\/author\/admin\/","slug":"admin","avatar_urls":{"24": ...

Changelog from latest version:

The REST API exposed user data for all users who had authored a post
of a public post type. WordPress 4.7.1 limits this to only post types
which have specified that they should be shown within the REST API.
Reported by Krogsgard and Chris Jean.

After installing plugin Disable REST API, it seems that everything is working fine, but I don’t like to use for every little thing plugin.

The output after using plugin is:

{"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}

How can I fix this issue without using plugin, or why even after upgrading this stil exist?

EDIT 30.9.2017

I realized that there is a conflict between contact 7 plugin and Disable REST API and that will give you 401 unauthorized error.

When you try to send a message through contact 7 form, it will make a request

wp-json/contact-form-7/v1/contact-forms/258/feedback

and disabling that is not a good idea.

Solutions Collecting From Web of "WordPress 4.7.1 REST API still exposing users"