The gist of some various laws around the world is that simply obtaining credentials does not authorize you to access the system, and accessing it without authorization is the illegal part.
This principle is clear if you apply a real world analogy. Just because you happen to have keys to a building doesn't mean you can enter without authorization from the owner. (E.g. you may have kept copies after a lease expires or a sale, it maybe you found them, etc.)
Considering it’s a API available without any authorization, the better comparison would be walking around on unfenced private land. There’s nothing to indicate they don’t want people on it but it’s also obvious it’s private land.
It doesn't matter. It's still just as illegal to get into an unlocked car or one with wide open doors without permission. The same premise applies to computers in a lot of places, access controls don't matter. If you access something on a computer not indented to be accessible, it's considered a crime.
Is it illegal, in fact? If a cop saw you, you'd be arrested and prosecuted for attempted auto theft, and your "I just wanted to see how comfy the driver's seat was" defense would ring hollow in court. But sitting in an unoccupied car without authorization isn't trespassing unless it's parked on the owner's land, and I'm not sure what other laws would apply to that specific act.
Walking around isn't usually a big deal until told to leave (verbally or by way of conspicuously posted signs), since that is a prerequisite to trespassing. Otherwise, delivery people would operate in a gray area which would be very problematic for them, since not all deliveries are requested by the recipient/owner.
However, although you are free to walk around in search of the front door, you can't start eating the fruit off the trees. Perhaps that's the better analogy: the trees are happy to serve up a delicious treat for anyone requesting something of it, but that doesn't mean the tree sets the rules. Just because fences preventing this are popular doesn't make them compulsory.
Defeating access control by using credentials that aren't yours is fraud.
Like, if you found a company badge laying around, go to that office and flash the badge to the security guard and go in. You've committed fraud by tricking the guard into thinking you're authorized to enter when you weren't.
TFA mentioned sending requests with a table number that the sender was not at. That is hardly any different from the idea of showing a badge that wasn't issued to you. The ease of spoofing doesn't matter at all, in the eyes of such laws.
The same could be said about typing any URL that wasn't knowingly supplied to you by the owner, but a "reasonableness test" in court would sort those out from nefarious activity.
Interestingly enough, the very lawsuit-happy nature of a major german party has "backfired" quite a bit recently. A security researcher was found not guilty of circumventing security measures or accessing authorized computer systems or resources without authorization, because there were no security measures or authorization on the API to circumvent.
Though note that this would not help one if one started to use or abuse the API to get free food or cause financial damage to a restaurant through fake orders. For example, ordering the corn soup through the API could really backfire if someone wants to present it as good old fraud or theft, or if the recipient of the unexpected soup got into trouble and started to look for someone to hand the damages to.