Permissions for Globalization so countries can be accessed via REST

You'll have to experiment with the user type. Administrators have access to non-global resources, Editors to Site resources (once permissions given), global administrators have access to everything.

They may need to be an Administrator to even be allowed to look at non-site specific resources...

What about overriding security with AuthorizeClass security event handler?

Those are both good ideas. I wrote kentico support and the response was "The classes from the Globalization (ie cms.country, cms.state) module are only accessible for Global administrators and there is no way to allow access for other users. If you need to access these objects using REST, the user must have the Global administrator privilege."

and "If you really need to access this data from a non-global admin and you'd like to look into other coding possibilities, another great way to do this is with global event handlers: https://docs.kentico.com/k10/custom-development/handling-global-events/reference-global-system-events. You can create a handler that triggers on the RequestEvents.PostAuthorize.Execute event and runs some code if the requested URL matches a certain schema (ie- http://mysite.com/custom/getcustomtabledata). I recently built a custom module that uses this approach to provide data (securely) at specific URLs, and it works great."