JSON-RPC is supposed to be agnostic of what channel is being used. As per the 2.0 spec, there is no reason for using anything but 200 http status code whenever we are doing JSON-RPC over HTTP.
Also, returning 400 for valid JSON-RPC requests doesn't help when integrating with JSON-RPC clients.
Any valid JSON-RPC request should generate a JSON-RPC response, the HTTP status code should be 200. No matter if the response is a success or error response.
Calling a method that hasn't been enabled or a method that doesn't exist are valid JSON-RPC requests, therefore the expected response is a JSON-RPC error (and status code = 200)
Any invalid JSON-RPC request (malformed json, etc) should generate a 400 status code.