[kiklion]

I feel like focusing on who owns the data is unnecessary.

If there is an API that grants access to data by passing in a valid auth token, then it doesn’t matter if it’s called from a SPA app or postman or curl.

As long as you are using the public API and haven’t forged an auth token then it doesn’t matter how you call the public API.

[yoavm]

Agree. Who cares about the client implementation?! You sent me the data, I decide how to process and render it. Otherwise we can sue people for having a black and white screen, using a text-only browser, a custom stylesheet or even for closing their eyes when the TV commercials are on.