Why is there no access control for the webcam in OctoPrint?



Because OctoPrint doesn't serve the webcam stream itself, it only embeds it and thus cannot possibly control access to it. Yes, it could just not display it for not logged in users, but that wouldn't keep anyone from just guessing your webcam's URL and just accessing the image that way. If you want to limit the access to your webcam, you need to do this a layer above OctoPrint, e.g. your reverse proxy ("haproxy") or your router's firewall.

An analogy: Your house is not safe from unwelcome guests just by hanging a big "keep out" sign on its door but leaving that door a) clearly visible behind the sign and b) unlocked. Just because the publicly accessible webcam is not embedded into a webpage doesn't make it less publicly accessible.

Proper network security management is not OctoPrint's job, and adding security by obscurity "features" such as just hiding otherwise accessible components like the webcam stream for anonymous users will just lead to people to think they don't have to properly secure their things when in fact they do, and this is something we here certainly don't want on our consciences.