Yeah, I had a similar case with some authentication middleware I used that was part of a library.
It would always throw an exception when a user wasn’t authenticated instead of just giving me some flag I could check.
Wouldn’t have done it that way, but it was okay for an API controller.
Not really. Exceptions are a controlled way of indicating something went wrong in an application.
The only point where you wouldn’t know about the possibility of one is when you don’t know enough about the language features you’re using or when you use a badly documented library or framework.