Anyone can register a new user - even with read-only API token (+ other security questions)?

What I want to do is to give end-users read-only access to my API from the mobile app. So is generating a read-only API token enough in this scenario? Or do I have to create an authenticated user with find/findOne rights?

What’s also confusing is that anyone can register a new user by hitting the /api/auth/local/register/ endpoint. How can I prevent that?