Its not clear to me why http.StatusForbidden (403) is being used as a synonym for http.StatusNotFound (404):

I do not think it is reasonable to assume we have the latest metadata given a 403 ?

The RFC is quite clear on what 403 means:

The 403 (Forbidden) status code indicates that the server understood the request but refuses to fulfill it. A server that wishes to make public why the request has been forbidden can describe that reason in the response content (if any).

So with the server is saying "I know what you're asking for, but I'm not giving it to you due to $reason".

It is not uncommon for example for CDNs or Proxies to return a 403 if the sysadmin has configured some context specific deny rules (e.g. blocking certain IP ranges).

Therefore the fact you are denied the TUF metadata cannot, in my view, be used to assume you have the latest version ?

The TUF spec says (5.3.1 updating the root role)

If this file is not available....

Given a 403 we don't know with any certainty if the file is not available. It might not be available full stop or it might not be available to you.

The point is a 403 is something that should (IHMO) be bubbled back up to the user as a failure because, e.g. they may have sent the wrong authentication credentials or they are being subjected to a security block.