Please check this page:
https://vulners.com/hackerone/H1:356047

A way to reproduce it, is to access your site trough:
https://example.com/wp-json/wp/v2/users

Even with author pages disabled, the usernames list is disclosed and accessible. A presented solution for that is to add a filter:

add_filter( 'rest_endpoints', function( $endpoints ){
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }
    return $endpoints;
});

I've tried and it worked on my side. Can you consider to add it to your pluggin?