From @jonny, author of the incoming Mastodon “fetch all replies in thread” PR:

“As an addendum, I would say that this should be considered *expected behavior* for activitypub: the `replies` collection is a public `Collection` that is part of an actor’s `outbox` and servers should expect other servers to to paginate through these, and the source servers should implement access controls accordingly.”