Apache allowing HTTP access when should be redirected to HTTPS

Quote from the documentation:

If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.

(highlighting not by me).

In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.

_{(Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).}

2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?

Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.

You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).

Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.

Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them:

<VirtualHost 127.0.0.1:80>
   ServerName 127.0.0.1
   DocumentRoot /var/www/web
</VirtualHost>


<VirtualHost example.com:80>
   ServerName example.com
   Redirect permanent "/" "https://example.com/"
</VirtualHost>