I am having a simple shoppinglist app where users can create a shoppinglist, view a shopping list and even share a shopping list. My problem is given that a User has not created a shopping list lets say x but it has been created by another user and therefore it is in the database, what status code should I return to this User who didn't create this Shoppinglist? Should it be a 403 since it is in the database but this user has no permission to view it or should it be 404 since it does not exist in this user collection of shopping lists.
You should return 404: the user shouldn't know about another cart with the same ID that is owned by a different user.
Returning 403 is considered a security flow because then a malicious hacker can start hitting your APIs with consecutive user-ids and until they find the user which owns the cart.