Related to CONF-7073, this is what an unauthorized message is for. Users should be given the option to choose the behavior since Atlassian is straying from the normal behavior of the web when a user doesn't have access (by returning a 404).

Its bizarre to default an invalid permission issue to a false 404 message.

In our instance we a have reverse proxy which handles error messages for us, and this invalid error message confuses everything and everybody.