The problem comes when we've normalized the idea of exploring buildings with unlicked doors as "yeah, this is probably exceeding authorized access".
People on here talk all the time about how their digital possessions are just as important as their physical possessions (if not more-so). Given that it seems perfectly reasonable to have the same cultural norms about exploring digital spaces as physical ones.
The internet is not a building, but to follow the analogy, HTTP by design has no unlocked closed doors — only open doors and locked doors, with an explicit and clear distinction between them.
This is the kind of argument you'd expect to see from a writer at Slate, not from technologists who actually understand applications. Practically by definition, almost all application-layer vulnerabilities, from remote code execution through SQL injection through remote file access, involve requests that HTTP "allows" and processes. In fact, one of the most lethal bug classes --- SSRF --- simply involves getting an HTTP server to accept and pass on a request somewhere else! The premise that a request is authorized so long as it doesn't generate a 403 implies that virtually all modern application vulnerabilities can be exploited lawfully. And that's a ridiculous proposition.
The Internet is comprised of physical servers, owned by humans. Those servers are accessed by other humans, who are perfectly capable of predicting how the human owners of the servers would want those servers to be used. The protocol isn’t what defines those human interactions and expectations.
A protocol - originally the diplomatic customs, procedures, conventions, and etiquette for relations between states - is by definition one of the ways of expressing intent.
If I broadcast a request for an IPv4 address and your DHCP server proffers an IPv4 address that I can use for the next 15min, the address of a nameserver, and the address of a router that will forward packets to the global internet, I can reasonably conclude that you intended to allow me to exchange packets on your LAN and at least attempt to use your gateway to interact with the internet. On the other hand, depending on the situation, a "403 Forbidden" could reasonably be interpreted as a request to not send that type of HTTP request anymore.
The protocol isn't the only place to look for intent, but it absolutely does express intent in some situations.
The protocol explicitly has mechanisms for protected and non-protected.
If the owners don't want something public, it's trivial to lock it down--they might as well freak out when somebody uses the wrong door to enter the front of their shop.
At the end of the day, laws govern the interactions between humans. The law imposes on everyone an obligation to think about the intentions and expectations of other humans. (This is what separates us from animals--the ability to reason about the mental states of others!)
The protocol is relevant, because it conveys information. Just as unlocked doors generally indicate permission to access, unsecured HTTP generally indicates the same. But the protocol is only one piece of the puzzle. It is not dispositive. It does not conclusively decide rights and responsibilities. If a reasonable human would discern that the protocol allowing access was probably the result of a mistake rather than intent on the part of the property owner, that is what matters.
People on here talk all the time about how their digital possessions are just as important as their physical possessions (if not more-so). Given that it seems perfectly reasonable to have the same cultural norms about exploring digital spaces as physical ones.