[Spivak]

This doesn’t track at all. This is me telling you that your forms are on my desk and throwing you the keys to my office. And then after getting your papers you go rummaging around other stuff.

Like sure I’m accepting a risk that you could do that but you’re still a dick if you actually do.

[closeparen]

Content you're serving on a public URL is content you have published. It's not your house and you didn't extend anyone any trust or limited access. You put it in The New York Times. Maybe you hoped no one would find it because it's on page B30 and most people only read A1. But people are allowed to read page B30 if they want to.

[zentiggr]

The point is that there's no keys involved, nothing in your private office. No rummaging either.

Publishing to a public web server is analogous to that little free library, out in the yard. No keys, anyone can look in it at any time. If you accidentally put something sensitive in there, where anyone can see it without any access control, you can't blame them for doing so.