You are unfortunately correct, there is no protection or access authorization code in place for DA REST functions.
This Idea request may be of interest. It requests the DB connection info in the DA be secured. The more up votes it gets the better.
IM DA security enhancement request
This Idea was implemented as of 2.8 and provides for control of the data passed between DA and DC.
secure Datacollector traffic to DA
I found out that coming in the r3.6 release we are adding support for the DA to be configured so it runs using https.
Unfortunately that won't come with username/password protection for rest yet.
It appears that REST security for the DA is on their minds, but it wouldn't hurt for a specific Idea to be submitted requesting it. Once more, the move votes (the squeaky wheel gets the grease) up it gets the more likely to be considered for inclusion in a future release.