I think this is a rather special usecase, this makes sense with inhouse applications where something like this might be common, but probably not something you want on the public api of a shop.
I disagree. What about the support rep, who needs to look at the customer's orders? What if it's a e.g. digital games store, and you want to have kids accounts which can be reviewed by their parents' ? What if you sell to businesses, and you want to let employees purchase stuff without having access to the address and billing info, which is configured by a master account?
You're just tying yourself down for no good reason.
Generally you’ll just get a 403 response. There’s still authentication taking place, I’d imagine this tip in particular is just to protect from revealing any potentially dangerous identifiers.
Preventing flexibility at the URL level rather than performing proper authentication strikes me as a poor decision.