Tinfoil hat mode: CORS enforced in the browser and other such related "privacy" tech were pushed by Google and big tech to prevent stuff like this. Turning the browser into a consumption platform with an encrypted pipe between your screen and the server. As opposed to the browser being an agent acting on the user's behalf.
I think your Tinfoil hat is misplaced. CORS was a hack added to fix the "bug" that cookies are sent cross-origin by default. Without CORS (and modern per-origin cookie jar policies) evil.example could load up https://facebook.com/api/friends.json and get a list of your friends or profile.json to read your profile. CORS was an ugly bandaid to prevent this without breaking existing sites.
I agree that CORS is a pain and a mess but it had very clear and non-nefarious benefits when it was introduced. Maybe when all browsers only support origin-isolated cookie jars it can be obsoleted but I wouldn't hold my breath.