Spent a few hours digging through Bluesky's labyrinthian source code. Abstractions on top of abstractions on top of abstractions...
Anyway, they make it impossible to fetch profiles from any PDS or their mega "relay" without credentials. But oddly if you run your own PDS, you can somehow fetch profiles from their central servers without authentication... huh...
So I finally figured out that api.bsky.app is their open domain.
Eg, this one requires authentication:
https://bsky.social/xrpc/app.bsky.actor.getProfile?actor=did%3Aplc%3Azhbjlbmir5dganqhueg7y4i3
But this one does not:
https://api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=did%3Aplc%3Azhbjlbmir5dganqhueg7y4i3
So... they realized they had a problem. In order to be decentralized, you have to allow public access. But instead of just allowing public access to their big mega service, they made a separate service just for PDS installations and then didn't advertise that fact.