The HTTP doesn't just allow access to data. It mediates the entire exchange.
As others pointed out, a HTTP 200 response is an action that's explicitly defined to mean "here, have this data, we're done here". If a physical storefront was running on HTTP, then the 200 response would contain just the image of the storefront (I get to view it how I like - maybe through glasses, maybe through rose-tinted glasses, or maybe via touch if I'm blind; and I definitely get to not look at advertisements if I don't like them). If I ask the store clerk for an item, they would usually respond with something like 402 Payment Required or 403 Forbidden, and that response would not contain the item I asked for. This would indicate I need to meet extra conditions to access the resource (like giving them cash along with my request).
Fundamentally it all boils down to this: on the Internet, if you send some data, you give it away. You can't, by default, dictate what I do with that data. The time to make those demands is before you hand over the data.
As others pointed out, a HTTP 200 response is an action that's explicitly defined to mean "here, have this data, we're done here". If a physical storefront was running on HTTP, then the 200 response would contain just the image of the storefront (I get to view it how I like - maybe through glasses, maybe through rose-tinted glasses, or maybe via touch if I'm blind; and I definitely get to not look at advertisements if I don't like them). If I ask the store clerk for an item, they would usually respond with something like 402 Payment Required or 403 Forbidden, and that response would not contain the item I asked for. This would indicate I need to meet extra conditions to access the resource (like giving them cash along with my request).
Fundamentally it all boils down to this: on the Internet, if you send some data, you give it away. You can't, by default, dictate what I do with that data. The time to make those demands is before you hand over the data.