Thanks for finding those links, @mnorhoff! That is accurate. The specific issue raised by reviewers was that some CAs might consider the account ID-to-hostname matching sensitive. More broadly, the issue was that we had a protocol in which some elements were authenticated, and some were not, based only on whether they happened to have polling semantics or "write" (i.e. POST) semantics.
Right now we don't specify any access control rules for Orders, Authorizations, and Challenges (because we don't consider those resources sensitive), but for best compatibility with other ACME servers, you should probably assume that most ACME servers will enforce that those objects can only be retrieved by the account they were created for. It's possible we might implement such a rule in Boulder if it looks like it will be useful in encouraging the client ecosystem in the right direction.