Get the API Access Control feature enabled in your org, Install all your Connected apps, change their app policies to Admin approved users are pre-authorized and add an “allow access” permission set to all users who need access and then turn on API Access Control. This will prevent rogue apps connecting to your org.

You should not be using Username/Password authentication for API access - let's have a look at how to use JWT and Salesforce's WSC to do it.

The background In August 2022, I raised a case with Salesforce Tech support covering an issue I found with Salesforce Aura Communities (now known as Digital Experiences or Experience Cloud) while doing an assessment on a customer's Salesforce org. The issue was that you are able to modify the Community URL to see standard Salesforce pages - Account, Contact, User, etc. This would not really be an issue, except that the admin has not expected you to see the standard pages as