It's probably less secure by default. Make sure to reject all HTTP requests where the Origin header doesn't match the local server host, or just all request with an Origin header.
What you really need is a shared secret between (embedded) browser and (local) server.
IP, host header, origin header can be checked as defense in depth, but can't prevent local privilege escalation from non browser clients and are quite fragile even in browsers.
(or use a secure non TCP/IP based communication channel)
> but can't prevent local privilege escalation from non browser clients
That is such a different threat model though. A native app has a lot more permissions than a web page. Trying to protect one native app from another is not really done much. Like, are MS Word documents encrypted so Slack can't read them from disk?
IP, host header, origin header can be checked as defense in depth, but can't prevent local privilege escalation from non browser clients and are quite fragile even in browsers.
(or use a secure non TCP/IP based communication channel)