The CFAA makes it illegal to exceed authorized access to any 'protected computer' (in practice, basically any computer).

The exploit developer avoids violating the CFAA by developing the exploit on their own computer... because you are authorized to access your own computer.

The government doesn't violate the CFAA when using exploits because government agencies are exempt under 18 USC § 1030 (f)