It seems to me that if someone “takes apart something to see how it works”, and that something does not belong to them personally, or they do not have explicit permission to do so, from the owner, then that someone is in the wrong.
Not necessarily.
For instance, I have several machines in my server rack that run Apache web server. If I find an security problem on one of those and report it, every Apache web server of that same version on the Internet will have the same problem, just now everyone is aware of it.
Also, if a web server is publicly available, sending it commands and looking at the responses is exactly what your web browser does. Your web browser simply formats the responses into what you are used to seeing. What your web browser receives is very different to what you are used to seeing. A hacker will typically examine those raw responses directly rather than letting the web browser format them.