You will be surprised. Do a "Inspect Element" and have fun filtering on "XHR requests". Notice that JSON that a lot of those requests return. but sshhhh, you didn't hear this from me.
With the move to client-side rendering, too many. The backend becomes dumber and dumber and all logic such as filtering data moves to the frontend. You'd be surprised what you can find poking around at APIs that client-side apps use.
The analogy is going up to a house and checking all the doors and windows to see if they are locked. That's rather like port scanning, a form of 'poking'. If you go to a state government web site and do that, even if you don't exfiltrate data or load it up with ransomware, it's definitely very shady behavior, although it seems there are no laws against it in the USA (some ISPs will ban users caught doing this however).
Obviously if you broke into someone's house and then asked them to pay you for your 'vuln discovery', err...
However, I think looking at HTML code on a public facing web page is not that. If you hang naked pictures of yourself on your front door, you don't get to complain when people take pictures of them.
The data was send to my browser. The more fitting analogy to me is that I get a letter and a huge pile of documents in a giant binder. Some of the documents are referenced in the letter. Now the sender gets upset because I started looking at the documents in the binder that weren't referenced in their cover letter.
Last year, when a Nintendo Switch was difficult to come by, I found that a large retailer’s API returned exact stock counts (and even restock dates in some cases) for any physical store you wanted. Got a Switch for myself and a couple friends in an afternoon.
