Why is there no access control for the webcam in OctoPrint? Why is my webcam always on?

OctoPrint doesn't serve the webcam stream itself, or interacts with your webcam directly.

Instead it only embeds webcam streams in either mjpg or hls format in the web frontend and consumes snapshot URLs provided by an external webcam server, most commonly mjpg-streamer as also included on OctoPi.

Because OctoPrint doesn't serve the webcam stream itself, cannot possibly control access to it. Even when it doesn't embed it on its UI, either because webcam integration has been disabled or because OctoPrint's permissions don't include webcam permissions, nothing would keep anyone from just guessing your webcam's URL and accessing the images or stream that way. If you want to limit the access to your webcam, you need to do this a layer above OctoPrint, e.g. your reverse proxy (haproxy on OctoPi) or your router's firewall.

Remote control of the webcam server mjpg-streamer as bundled with OctoPi to enable/disable it from the system menu as needed can be achieved via configuration of additional system commands, e.g.

    - name: Turn camera on
      action: camon
      command: sudo service webcamd start
      confirm: You are about to start the bundled webcam server.
    - name: Turn camera off
      action: camoff
      command: sudo service webcamd stop
      confirm: You are about to stop the bundled webcam server.

Proper network security management is not OctoPrint's job, there are way better tools for these kind of tasks. Do not blindly expose your OctoPrint instance on the internet or any other hostile network you don't have full control over.