Or privacy. The assumption here is that if someone thinks you have an inappropriate photo, you now have no right to privacy?

No, it's surely just a mistake. No one made an affirmative decision to skip "privacy". What happened is that whoever added the "select more images to block" feature somehow did it in a way that skips the normal access checks.

If there's a goof here, it's that the framework they've built apparently doesn't make the privacy controls mandatory. Developers have to remember to "turn them on" by calling an access control predicate or whatnot. That's bad. That's dumb. But it's not malicious.

I doubt that's way this happened. More likely, the person who implemented the "inappropriate photo"-feature wasn't fully aware of that the "Report"-functionally was enabled for everyone and not just your friends.

However, someone had to implement the backend for listing out those photos, and they clearly didn't think of access control, so there's at least something fishy here…

It's not the first time either. Very similar breach of privacy happened when they implemented "view my profile as ..." functionality. You gained access to the private data of the user you were simulating.

That's why their philosophy is 'Move fast and break stuff'. The alternative might be a slow moving bureaucracy that never iterates new features.

"Move fast and break stuff" is a philosophy that is simply not compatible with "Your privacy is very important to us" (http://www.facebook.com/legal/terms) and "We take safety issues very seriously, especially with children" (http://www.facebook.com/about/privacy/minors).