>I think the same conclusion would have to be made here: if you send something and stick a 200 on it, the recipients are entitled to what you sent them.

Disclaimer: I don't work with web tech, but wouldn't that also permit a lot of activities we would absolutely consider unethical, like SQL injection? It seems like you could certainly craft a request to circumvent security controls to receive a 200 response back that we'd absolutely consider to be unethical.