A community can restrict access to all areas of the website not required for user registration/authentication by revoking the "View Web Site" permission from a role.
For example, to only allow authenticated/registered users to access the web site, the "View Web Site" permission could be revoked from the "Everyone" role within Administration > Membership > Roles. This would prevent unauthenticated users from accessing any of the community website without first logging in.
Note that the "View Web Site" permission does not prevent access to the REST API, it only limits access to the web site. Visitors to the website who are not authenticated and do not have the "View Web Site" permission will be redirected to login. Visitors who are authenticated but do not have "View Web Site" permission will be redirected to the access denied message.