Super bad news about that: even if it didn't allow the `localhost` string, DNS rebinding allows the domain name of the site you visited to become 127.0.0.1.
The answer to why browsers allow connections to 127.0.0.1 from external sites is probably something like "legacy reasons".
DNS rebinding can be fixed at the DNS server level. OpenWRT has an option for it.
But this websocket thing in browsers can't easily be turned off/mitigated AFAICT.
In many projects I have worked on in the last 2 decades, one of the first things I find myself needing to do is fix the name services and setup of .local/.home .. To me it really appears that the skill of naming things starts at the the network - to that end, crap-named networks propagate amnesia.
Because the web is supposed to be a web of multiple sites, built my multiple people, sharing a web of resources.
Localhost is just another site. If you want to make it secure, make it secure.
You realize that anybody on your coffeeshop wifi can also connect to your localhost server, don't you? Just because a server is running on your laptop doesn't mean it's not a server, running on the internet.
It would be better to say that your laptop is running software on the intranet, not the internet.
Also at least by convention, localhost is only accessible via the loopback interface. This allows it to be accessible even if there is no physical network to connect to, but also means that it is only accessible on the same physical/virtual computer that it is running.
To let other people in the coffee shop access your software you would need to connect to a public or private interface.
The answer to why browsers allow connections to 127.0.0.1 from external sites is probably something like "legacy reasons".