In 2.0, the route that shows system informtions in the admin /admin/systeminfo on 2.x) does not have any extra permission check. Like the rest of the admin, it requires that the user is authenticated. While most resources will be protected by the Public API's permission checks, System info will not. setup/system_info was used in 1.x (and legacy), and can be reused for this.

The easiest is to perform the check in the controller itself. It is what was done in 1.x.
An alternative would be to stick to the Public API approach, and do that in the SystemInfoCollectorRegistry, so that it is transparent for API consumers.