You are correct, regular REST API's can be accessed from the public endpoint stage URL or a custom domain name. A private REST API is deployed within a VPC using an interface VPC endpoint.

In both cases, regardless of the endpoint being public or private, there are still measures to control and manage access to the API. These may include resource policies, IAM permissions, and others.