Every attack ever uses something that can be described as "official channels." It's all in the code, after all. As Apple's response makes clear, this is indeed not via the official channels.

"Authorization" in the legal sense != authorization in the cryptographic sense. You can get a token and still be not legally authorized to access a system.

It's not illegal to scrape a website, even if the owners don't want it to be scraped.

Accessing a public server using the public protocol it advertises is generally allowed.