Actually, after digging further into the code, what it is doing if the user is not authenticated is it creates a site user with the customer email address (or attaches to an existing user if there is one with the same email) but marks it as not visible in member list if it creates one. Admin user can still find him using member list search. If the user later tries to register it will say he already exists, but he can then use password recovery on the login page to get his password which was randomly created, and then he can get to his purchase history.
So if he is an existing user he can view his order with more detail by logging in.
If he was a user created during order processing there is still a natural way he will be able to later login and see his order
or he can remain unauthenticated and see the order with no personal information.
But no authenticated user can see another user's order. This should remain as is.
Really it is better for everyone if the user authenticates before purchasing. It is enforced for download products that a user must authenticate to complete the order, but for orders with fullfilment type none it does allow checkout without authentication but then we have to be more protective of what data we can show, ie only product data, no customer data on order detail.