Trading this way is completely legal. In fact, there is no law that says individuals are barred from trading any crypto token.
Instead, exchanges are the ones who are not supposed to be allowing people to trade unregistered securities.
Not every token is an unregistered security, in fact, it is unclear which tokens are or aren’t unregistered securities.
Further, while exchanges like Binance and Bittrex cut off US users from ICO tokens, they didn’t do so as an order by the SEC, but as a precaution. They either had to follow a bunch of regulations or they were jeopardizing their businesses. These centralized custodians held these funds. Holding them and allowing the trading of them was more legal trouble than it was worth due to uncertainty, and thus they took the easy path and geoblocked users.
However, none of this matters when it comes to peer-to-peer exchange via smart contracts on the Ethereum network. With peer-to-peer smart contract-based trading systems (AKA with DEXs) there is no custodian, users hold their own funds or there are wallets related to smart contracts which hold funds (although there is still a site the facilitates the peer-to-peer trading, so there can be some murky gray water on the part of the exchange).
Details aside, long story short: As an individual, all you need to do to get around the red tape in a completely legal fashion is to grab MetaMask and then use your web browser (with MetaMask turned on) to access a website hosting smart contracts that facilitate peer-to-peer exchange. For example, Kyber or IDEX.
TIP: Essentially every DEX has a front facing website. They can and often do still require account creation and can and still do block US users at times. Also, there is one case of the SEC going after a DEX (but not its users) with EtherDelta. So which DEXs you can use can change, but the gist is that you can typically still find DEXs to trade on.