I think there's room for both, clients can respond or not depending on how aggressively they wan to auth. If there are implicit access controls going on, the relay may choose to respond with some subset of data without notifying the user. Or it may notify so the user knows to authenticate because they're missing out.
Discussion
This is the way I've implemented it in noStrudel. There's an option to enable signing auth as soon as it's received. But generally it waits till it sees a auth-required response