Which channel driver are you using? The option to disable for chan_sip is allowguest.
This is actually about authentication for INVITE, not about registration. If you use an ITSP, is very unlikely that they will register with you, which would be incompatible with them, so the only way to avoid someone masquerading as the ITSP, is likely to be to authenticate them by IP address (which you do with type=peer for chan_sip and type=identify, for chan_pjsip, or to restrict access to only their valid IP address range, with permit and deny (and preferably also at the firewall).
For things that do register, they will have to present a valid user and know the correct secret, although identifying them by address, for INVITEs, is also desirable. I’m not entirely sure what you have to do with chan_pjsip to authenticate by a dynamic address; it might come out in the wash.
If not authenticating by address, SIP does not require registration for incoming calls, if the caller knows the user and secret. Registration is about knowing where to send outgoing calls, not about authentication, although the address it learns can be used for IP based authentication.
Also note that allowguest, etc., should be using the default context, and that context should not configured to be able to make chargeable calls, at least not without secondary authentication. Also the context associated with an ITSP should not be able to make chargeable calls, or you need very tight lockdowns on the ITSP’s address range.