If a student somehow knows what data to post to the endpoint, they might try to do so. If they omit the course param, they will be presented with the import confirmation because we have not yet been able to place them in a course and check capabilities, namely 'moodle/course:manageactivities'. This can only occur when someone is doing something they shouldn't be, and it's not that Moodle will allow the import either. It's more about how early we're able to detect that the person isn't able to import and throw an appropriate error. When the course is provided, we already check the relevant capability on the confirmation page (index.php) and throw an error. It's only when course is omitted that there's an issue.
We'd like to be able to do this at the confirmation page, which is a system context page. At this stage in the process, we've no way to check 'moodle/course:manageactivities' (which of course a student does not have), because we don't yet have a course to check.
This issue is about discussing and possibly implementing a solution which will allow us to throw an error as soon as we can if a user is known (somehow) to not be a valid users of the import feature.