Assuming I'm running malware.com, I would make 192-168-0-1.router.malware.com resolve to 192.168.0.1 so the origin matches and I can prod the router as much as I'd like without crossing the origin.
The proposal talks about sites resolving to private/local addresses, so presumably, the browser would still apply the checks to all requests to that domain.
The only thing that would not trigger CORS is if you somehow loaded a top-level document from that domain. (The address is in the browser's address bar) - however, a malicious website can't do that as this server is not under their control.
The only thing that would not trigger CORS is if you somehow loaded a top-level document from that domain. (The address is in the browser's address bar) - however, a malicious website can't do that as this server is not under their control.