Anyone who is not authenticated on the website is considered a visitor. Typically visitors are allowed only to browse the frontend side of a website and are not authorized to view or do any activity on the backend side.
FYI! Visitor does not have any roles or capabilities assigned.
It is important to understand the difference between authentication and authorization because a lot of times it is misinterpreted correctly or used as synonyms.
The easiest way to explain the difference is that authentication is a process of identification. This is when a user tells a website who he or she is. The authorization is a process of granting access to certain resources or activities. In other words, the website knows who is the user and verifies if the user is allowed to do what he/she is asking for. In real life the authentication and authorization can be explained with an example: John Smith is allowed to enter your house because he is your friend (authentication), but he is not allowed to take your office desk (authorization).
WordPress core does not have much control over visitors’ authorization. Most of it is related to restricting access to the backend side and couple handful features to password protect or deny access to not published posts, pages and custom post types.
With AAM plugin the frontend authorization is extended and you can manage access to your website content, widgets or even access to the entire website.