The Jenkins REST API should never be used without the tree parameter. Using the Jenkins REST API without the tree parameter, making a call to /api/json for example will run. However, making a call to /api/json will cause Jenkins by default to respond with some rather arbitrary collection of data, some of which might not be used and which may be work to compute. The practice of making /api/json calls can cause poor performance issues and high CPU issues.
More information about the tree parameter can be found here
You can check the Jenkins access logs for requests URLs matching the regular expression
.*\/api\/(python|json|xml) to see the origins of unrestricted requests. If necessary, you can block all API calls.