public facing is fine
Not exactly, if it is something unintentionally public facing, that can get you charged with access a computer without authorization under the the Computer Fraud and Abuse Act. This happened in this case: https://en.wikipedia.org/wiki/Goatse_Security#AT&T/iPad_email_address_leak
sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the email address associated with that ICC-ID.
On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization
More information: https://www.wired.com/2012/11/hacking-choice-and-disclosure/
I don’t particularly like Linus, but he was bearable in this video. As someone who assumed this was a SIM swap, I was genuinely as confused as he was playing it up when he was able to place calls but not receive them. That was really interesting.