How to choose between an HTTP 403 and a 404 error?

If the collection or resource isn't considered public information, e.g. a private profile, then the client should receive a 404. If, on the other hand, the collection is considered public information, then the client should receive a 403.

For more information, see RFC 7231, sections 6.5.3 and 6.5.4.