I work at a SOC2 audited business and had a coworker who would routinely leave his PC unlocked. I would routinely set his desktop background to My Little Pony. He would routinely get grumpy at me and tell me not to touch his computer. I would routinely tell him I can't touch his computer if he locks it.
It was a great way to train someone to follow SOC2 requirements.
The reason I asked for the documentation is because even your bank example falls short - my coworkers and I are trained in and expected to follow SOC2 requirements. Taking the job in the first place means explicitly agreeing that you will follow the SOC2 requirements that we adopted because our customers said "we won't host data with you unless you are secure and audited."
I can see an argument that I shouldn't be a "vigilante" about making sure people follow security practices they agreed to when taking the job, but we are all responsible for the security of the business. A repeat offender coworker who doesn't care about the security consequences of leaving their PC unlocked is a security risk which needs addressed. This isn't just a case of messing with a friend.
Further, the PC is company property and subject to acceptable use policies. It's not "my computer" so I have no reasonable expectation that it is a sacred object other people won't mess with. Assuming others won't mess with your things is a terrible reason not to lock your door at night. Getting angry at a burglar for entering because you failed basic security misses the point of your failure.
My repeat offender coworker got over his indignation that I touched his computer and then started doing what he was required to do the entire time and locked his computer every time he got up. I stopped touching his computer. He didn't get written up or fired for repeat security failures, and all was well.
It was a great way to train someone to follow SOC2 requirements.