When requesting an image through an image style URL (e.g. .../files/styles/my-style/public/my-image.jpg), but the original image file (.../files/my-image.jpg) does not exist, it would make more sense for Drupal to return a Page Not Found, instead of an Access Denied error.
Reasons:
1. When requesting .../files/my-image.jpg (i.e. without the image style portion), Drupal does return a 404.
2. In certain server configurations, 404's are cached for some time, but 403's aren't. In this case, a DDoS attack could be made to the server by simply requesting many images that don't exist.
I'm proposing a patch to the image.module file.