When a user registers (doesn't matter which way) for a site but the account is not enabled (is_enabled setting in user_account is false) it's still possible to create a session for that user via eZ Publish REST Api v2's create session webservice.

When then trying to read restricted content or perform any other action using this session the access is denied, still it shouldn't be possible to create a session at all.