But by that logic, any kind of malicious web activity should be allowed. Once you remove all the abstractions, any kind of attack is just computers behaving how they've been instructed to. An injection attack is only a server processing a particularly strange request.
Don't plug shit into the internet you don't understand.
If that's a problem for you, hire someone who does understand it before you do.
I have no problem with complete deregulation of the exchange of information over the internet, as it's impossible to use violence to force anyone to do anything via an ethernet cable.
It's impossible for a packet to be the root cause of harm coming to another.
Negligence or recklessness when attaching not-fully-understood systems to the Internet, on the other hand, should expose people to liability when the personal information stored in those systems is publicized. The fundamental cause is "idiots plugged in a server without suitable authentication", not "somebody across the world sent it some electrons".
It is crystal-clear to me that all packet transmission should be protected speech, including buffer overflows and other so-called "malicious" traffic.
Just because it's obvious to you (because you are willing to make an assumption) what is malicious and what is not, that doesn't mean that it's anything resembling fair to force others to make those assumptions to avoid criminal liability.
The full text of War and Peace could be "malicious" traffic when sent to a machine that stupidly copies it into a fixed-size buffer. This is not a job for the law to decide. It's a blunt instrument.
(There's also the issue of the stupidity of allowing the receiver to retroactively declare "oh, that was not intended, and thus unauthorized".)
The responsibility must always lie with those who interpret the traffic, not those who send it.