Since nobody joined the conversation and thus there are no objections I think it's ok to say that in secured web apps a criteria of an HTTP request having "sec-fetch-dest" header set to "empty" may be reliably used to distinguish REST requests from other browser generated HTTP requests