I think intent matters for actually securing an indictment and conviction, if for example they can prove that you exfiled their user data (this happened to Weev who noticed an ordinal ID in a URL and enumerated all possible URLs) they could actually get the feds to bust you. But you're right, if they're big enough they could try to come after your regardless at the risk of turning the security research community against them.
