Right now, we return a 403 in a lot of places, but we actually should return a 401 if no authentication is provided. This doesn't apply to all 403s, but it does apply to quite a few.

I'd suggest we add a function for this, so we could simply switch to:

return new WP_Error( 'error_code', __( 'Error message' ), 'status' => json_authorization_required() );

with something like:

function json_authorization_required() {
    return is_user_logged_in() ? 403 : 401;
}