Wordpress - WP-AJAX vs WP REST API: What to use for requests to the website from outside?

Each of these have their own advantages and disadvantages. You might need to choose one over another, based on your needs. They are both well secured, otherwise they wouldn't exist in the core.

REST-API, The modern and well known API

The REST API was added to ( or better say, combined with ) the core more recently than Admin-AJAX. It is perfect to be used in mobile apps and API developments.

Advantages

• Is simpler to write, develop and debug
• Does not need separate functions for logged-in and non-logged-in users
• The core already has some built-in handlers that speed up the development process
• The response can easily be used in applications or platforms that do not run on WordPress

Disadvantages

• It does not produce any user-friendly response. The output is in JSON, which can't be used in some cases, such as SEO purposes. However, some might find this an advantage
• Working with JavaScript and JSON needs more knowledge than handling a simple text output

Admin-AJAX, The ancient AJAX handler of WordPress

Admin AJAX existed in the core for as long as I remember, and is the way the core itself deals with the requests in the admin area.

Advantages

• It directly outputs the content, which can be used anywhere, even by search engines. Some scripts such as Custombox only support this kind of response
• It has separate functions for logged-in and logged-out users. While you can do this with a conditional in the REST-API, some may find this useful
• Working with the response is easier, since all you need is to put it in a div or wherever you need

Disadvantages

• Since the output is plain HTML ( By default ) it shouldn't ( or maybe even can't ) be used in APIs and application development

Conclusion

It's very hard to say which one should be used, they are both useful handlers and if any of them wasn't secure, it certainly would not have existed in the core for so many years. So there is not a problem of security, but still if you are concerned about the security, you need an SSL certificate.

It's rather performance, type of request, and development platform that decides which one should be used.

I know there are ways to allow for Authentication with the Rest API, but it takes additional effort to get it to work properly.

Meaning using functions like is_user_logged_in() will not work right out of the box with the Rest API, but it does with the AJAX method.

So my answer would be when you need it to make requests from the Website to itself ex. when JS needs some data then it is usually best to use the AJAX methods as you will have full access to the WP functions and Authentication if needed.

If you are needing to make requests from third party software that WILL have access to a User's Login and Password that you can pass authentication with

OR

You have no need for user data or any other authenticated data from the website, but just need simple data like "Top Posts", etc then use the Rest API.