It's no security issue, no. There are two main APIs the controller supports. One is the "client" API and it provides an unauthenticated endpoint that provides "versions" (like you saw).
There is also the 'management' API which is what modifies the controller and always requires authentication. You can optionally decide to host the zac and management API on different ports if you wish, or as one recent discourse post shows, you can use OpenZiti to control access to the zac and the management API for a strong security posture
Have a look at Making ZAC and management API accessible only through service when you're ready to try that 