Yeah, I definitely would not do that to a 3rd party system without a specific letter of engagement for penetration test or security review. Now, that being said, it's the first thing I would tell every single developer about as a senior developer and I would insist that test cases be written to verify that no such 'feature' was permitted into the application.
Should I consult with my lawyer before manually entering an address into a browser? I could easily make a mistake that would allow me to access the wrong page.
Heck, if we're being that careful maybe I should just throw my computers out the window. A Google search result or a forum post could link me to the wrong page and I could get sued.
This is a good point, but there should be more awareness towards the issue as a whole. I've seen many apps who expose data dangerously. Some developers may not be aware that these values are exposed (even with SSL), so they should architect their apps accordingly, reinforcing the fact that you should never trust the client. I also briefly touch on the fact about this dynamic architecture and some of the implications it brings.