At the moment XAR export of a page is only allowed by admins. All other exports are open to anybody.
In the UI we do not allow exports, hence we would not like to have exports being available through an api.
At the moment you can only deny the exports through Apache/NGINX for instance to capture the ?format=HTML in the querystring.
It would be great if we can manage this in the application with rights in the same way as you manage other rights.
The export function is quite heavy on resources, hence it can be used for DDOS.
I would suggest the following user story:
As an admin you can set the rights based upon groups and users on who is allowed to export HTML, PDF, XAR, RTF, LaTex.