https://github.com/discourse/discourse/commit/7fe414d35d39f7bb1b1462a0386291988844976a
After the above commit, checking the “Hide my public profile and presences features” option on Preferences → Interface does block the individual user RSS & JSON routes.
You can also uncheck the enable user directory site setting 
Does that help?