See T264378#6516543 for example URIs
Core REST API endpoints set Cache-Control headers unconditionally, thus making responses publicly cacheable. However, it seems that for at least some cases MW also issues a Set-Cookie with a session cookie in the same response. Obviously, responses with a session cookie must not be cacheable in CDN.
We need to look what Action API does in this case and probably copy over the behavior. Most likely this will result in setting Cache-Control to private for logged-in users for MW REST API, since not only we can't really guarantee that Set-Cookie won't be issues, but we also can't properly guarantee we are not leaking any private data.
Additional consideration: we should probably implement some level of framework support for emitting Cache-Control headers and convert handlers to using it. Fixing individual handlers will be too error-prone in this case.