"It's his own data in the system, which makes this completely different. In your lock picking example, it would be a landlord finding one of their tenants picking their flat's locks"

More accurate would be catching your tenant picking every single apartment's lock to prove that their personal lock is vulnerable.

Assuming the vulnerability scanner tries some basic login attacks (for example, trying default username/passwords), then it would be analogous to a landlord finding one of their tenants trying to pick their neighbours' locks, and that of the building management office.

So you think you can do the testing of any system that contains your data without prior permission?

No it's more analogous to him trying to break into a bank vault because it has his money.

If by breaking in you mean walking in through open, unsecured doors...