Terrible analogy. A webserver is not at all like a door. It doesn’t block or allow traffic to and from your file system.
A web server is more like a receptionist. It handles requests. “Can I have your basic catalog?” “Certainly, here you go.”
“Can I get this item from your basic catalog?” “Certainly.”
“I don’t see it in your catalog, but my buddy said he got this other item from you. Can I have this other item too?” “Absolutely.”
“Can I borrow your stapler?” Sure. “How about a pad of paper?” “Of Course”. “Can I just have the contents of your supply closet?” “Here you go.” “How about your accounting files, can I get those?” “No problem!” “How about your entire customer list?” “Consider it done!”
When you hire a receptionist and specifically tell them to give customers anything they request, that’s entirely on you. You have to at least make a token effort to restrict access to only authorized users before you can even claim that a particular user was unauthorized.
This wasn’t burglary. This was putting up signs that say “come in” and labeling everything in your house with “free” stickers.
Doesn’t work like that. With the policy you describe, anyone who ever sees a “404” error is a criminal.
I don’t have to publish everything I am willing to offer. You are free to ask for something I may or may not have. I get to decide how to respond to your request.
To use your analogy, I can walk up to your door and request a glass of water. You’ve never explicitly offered a glass of water to anyone; I’m still allowed to ask. If you dont want me to have your water, you can say “No” or you can ignore me.
When you go ahead and give me a glass of water, you don’t get to claim I stole it from you. It is not theft to ask.
You have to make some sort of effort to have your web server limit my access, and I have to make some sort of effort to convince your webserver to bypass those restrictions before you can claim I am exceeding my authorization.