Making an OPTIONS request to Elasticsearch does not require any authentication, it will return which methods are supported in each API endpoint.
Some endpoints will support GET, others will support GET and POST, which depends on each endpoints.
No, this is not correct because some unknown vulnerability may arise that could be exploited.
Being safe or unsafe depend on other factors like if security is configured, if the password used are strong, if the your endpoint is not publicly exposed to the internet, if the stack is up to date, multiple things can make your cluster more safe or unsafe.
Many security scan tools will alert if an HTTP endpoint has the OPTIONS method allowed because this method can be used to know what other methods are supported, but this can also be done in multiple other ways, so this alert is normally just an information alert.
Since you cannot disable OPTIONS in elasticsearch you need to adjust your security scan tool to ignore it in this case.