The potential downside of stopping once you find a critical defect is that the company may not take it seriously unless you go just a bit further and show what you can do with the defect. In this case, showing that it gives you access to the admin dashboard.
Generally, hacking into a live system without permission is strictly illegal. Once you have discovered some surface level vulnerability you are legally obligated to stop, at a minimum. You can't just keep hacking and exploiting things that cross a certain, generally clear threshold, without permission. Intent definitely matters, but you can still end up in jail if a prosecutor has a hair up their ass and decides they have a good case against you.
I do agree, some of the time you need fireworks to get the right people's attention. You could argue there is some moral imperative there, but ethically you are in the wrong if you keep going. Just have to decide of the moral imperative outweighs clearly breaking the law in situations where you don't have permission.
It is illegal as soon as you break in. Going as far as possible, without destroying anything, is no more illegal than stopping early, but gives less proof of security problems.
"Break in" in a modern web app pretty much happens the moment you access data you aren't supposed to access. Not damaging anything is irrelevant. I mean, no one destroyed anything in the Equifax hack. They just retrieved all the data.
