There's nothing stopping someone from passing an unrelated annotation ID to make it look like it is an annotation for any specific entity: https://musicbrainz.org/artist/6a0b0138-dc06-4d5c-87b3-fab64f0fd326/annotation/480647

This isn't a serious issue by any means, but it should be probably be rejected with a Bad Request error if the ID requested is not an annotation for the specific entity in question.