His whole analogy only works because the librarian is a human, and if a human with some apparent authority lets you do something, you can reasonably infer that you have permission to do it. But you can't anthropomorphize a server like that. It's not a gatekeeper, capable of granting permission, just a dumb lock which may be flawed. Only humans can consent.

To repurpose his analogy, if you sneak into the staff room and the librarian doesn't notice and doesn't stop you, you can't use that to say it must have been okay.

Both are gatekeepers. One has been configured with an employee handbook. The other is configured using .htaccess or similar. When making requests of either, how do you know whether you have permission to make the request you're about to make?

If a server cannot consent, does issuing "GET /" to a web server mean you snuck into the homepage and are not authorized to view what the web server was configured to provide to you?

People boil down to dumb locks--if presented with the correct context and input, if they are rational they should by definition grant access.

This library analogy was the best way I've seen the issue put, and one that is actually accurate.

I totally didn't understand where you were going with that.

I agree with library analogy

The problem is that the people who wrote the code are human. The people who deployed the code are human. The people who paid for the internet connection that lets you connect to their service are human.

There are any number of explicit steps that are taken to put code on an HTTP service on the internet.

If you're going to repurpose the analogy, do it right. The librarian is supposed to let you into x room. Someone somewhere expected you to look at one record before leaving, but you check out some other records. But at no point did you wholesale sneak past the librarian.