The previous post touched on some issues of protected accounts that should be pursued in more detail. Twitter’s rules for developers have two basic principles that apply here: Don’t surprise the user, and Respect user privacy. Both certainly apply to revealing data from a protected account.
What becomes clear if you experiment with the code in the user_tweet.php tool is that it is possible to see the last tweet of a protected account. This happens when you request a protected account with OAuth tokens from that same account. This can occur in two ways. You can be using single-user OAuth and then call user_tweet() with that user’s user_id or screen_name. Or you can have a multi-user login system, and call user_tweet() with the tokens for the same user you are asking about.
The important point is that just because you get back a $response->status element in the API response, you can’t assume it is OK to display it or store it in a database. You must always check the $response->protected element first. If that is not empty, or has a value of true, then the account is protected, and you should ignore any tweet data delivered by the API.
I understand why Twitter coded the response for protected accounts the way they did. Their assumption is that when you authorize with a user’s tokens, it is OK to give you all their data. It is your responsibility to not accidentally reveal this data. The safe rule is: If the account is protected, don’t look at the tweets.