I agree with you but I don't think the law does. The CFAA says that if access isn't authorized, it's no good. Now we can say that if the system was programmed to give it up (200) instead of telling you you aren't authorized (403/401) then you are authorized, but I think the law is more about whether a human intended to authorize you. Accidentally programming the authorization is (however stupid it may be) not what it's about.
I guess because the unauthorized thing isn't linked. Giving you the link is like giving you a password... They're both just strings although one is considered to be more secret than the other. Guessing at links is like guessing at passwords: it's overcoming the fact that you weren't provided with the string that gets the server to respond with the stuff.
I don't like this but I think it's how it legally could play out.