Currently no method exists (that I could find) to allow authentication plugins working on top of Jenkins to test a path to see if it does not require authentication; Jenkins does it (in part, at least) using Jenkins.getTarget() (https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/jenkins/model/Jenkins.java#L3875). This function does too much for some plugins, e.g. NegotiateSSO, because it first checks for read permissions.
I propose breaking the functionality of Jenkins.getTarget() into several functions, allowing a plugin to access the checks for paths that shouldn't be protected. The attached diff file gives an example (diff base is commit e014700, on jenkinsci/jenkins).
The other solutions that have been given to me so far involve maintaining a list of exceptions, which seems unwise to me.