There is a reason he shouldn't be able to have a snoop around: it's a violation of federal law. Don't test other people's websites without permission (and even then, be careful).
I worry that people read a lot about vulnerability research conducted on iPhones or Chrome or whatever and assume that it's open season on any kind of application, but the rules for apps running on other people's servers are very different.
I don't understand what you're trying to say here. An argument that your browser is just doing what it's supposed to do when it triggers e.g. a SQL injection on some server somewhere is, I promise you, not going to help you if the government decides to prosecute you.
You're mistaking the easy for the legal. It can definitely be illegal for someone to "observe what his own computer was doing and then make some web requests".
If "observing what your computer was doing and making <internet> requests" was always legal, then there would be no such thing as illegal hacking, because that covers essentially all possible activities one can do with a computer. There may be some who would prefer that world, but it is obviously not the one we live in.
By your logic, someone that successfully guesses a weak password and ssh's into someone else's server and takes all of the data they can find there is doing nothing wrong, as they are "merely observing what their own computer was doing and making some TCP requests".
I don't think anyone here is disputing the fact that in the eyes of the law, his actions were illegal. But as someone who develops web scrapers/automation for a living, I poke and prod APIs in much the same manner as this guy. I don't feel such exploration should be criminalized. Sadly, it is.
In your SSH scenario, its completely different- you're literally acting with the intent of accessing someone else's computer to exfiltrate sensitive data. That's not what happened here (according to the author).
Running a crawler and poking around API artifacts manually simply aren't the same thing under the law, even though on the wire what's happening is the same. As long as your crawler isn't programmed to go looking for SQL injection vulnerabilities or whatever, there's no case to be made that you had any intent to gain unauthorized access. That's what matters here: your intent.
If the "hacker" hacked his web browser, this wouldn't be an issue. They didn't. They attacked an application running on a server somewhere that was not their own machine, from a web browser running on their machine. The former is the important part in the eyes of the law, and the latter is irrelevant.
I worry that people read a lot about vulnerability research conducted on iPhones or Chrome or whatever and assume that it's open season on any kind of application, but the rules for apps running on other people's servers are very different.