Hey @mitchellD ,
Happy to help you out with this issue. Our REST Shop endpoint exposes the field password_enabled, which if true indicates the current main theme is password protected. That being said, I'm not completely sure in a headless context it's what you might be looking for.
If you have any other questions please don't hesitate to reach out.