There should be a hook that provides information on which REST API handler is about to be executed, and allows hook handlers to intervene.
Some use cases:
- reasonable session error handling in REST requests (T252591: REST API endpoints give confusing errors for invalid OAuth2 access tokens)
- an allow-list of API endpoints in some special situation (T381223: useragent-clienthints API does not work on the SUL3 authentication domain)
- probably throttling and such