What's the most secure way to completely disable Cuba REST API, so that I can only use the Portal Module to manually expose endpoints?
You can simply remove rest_api servlet in web and portal (if exists) modules, i.e. delete the following lines from web.xml:
<servlet>
<servlet-name>rest_api</servlet-name>
<servlet-class>com.haulmont.restapi.sys.CubaRestApiServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>rest_api</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>