Attackers do not read responses from HTTP requests either. I think it's fair that the default behavior is to protect all endpoints and a user can explicitly change the behavior.