> If someone could and would steal valuables, it seems highly unlikely that he/she/it would notify you before doing it.

after* doing it. Though I agree with your general point

Note the parts in the email to the organization where OP (1) mentions they found underage students among the unsecured accounts and (2) attaches a script that dumps the database, ready to go¹. It takes very little to see in access logs that they accessed records that they weren't authorized to, which makes it hard to distinguish their actions from malicious ones

I do agree that if the org had done a cursory web search, they'd have found that everything OP did (besides dumping more than one record from the database) is standard practice and that responsible disclosure is an established practice that criminals obviously wouldn't use. That OP subsequently agrees to sign a removal agreement, besides the lack of any extortion, is a further sign of good faith which the org should have taken them up on

¹ though very inefficiently, but the data protection officer that they were in touch with (note: not a lawyer) wouldn't know that and the IT person that advises them might not feel the need to mention it