can't the browser download the webpage that contains code to scan 127.0.0.1 then forward the data back to the server? this would also bypass vpn protection.
Are you suggesting that as a bypass for Brave's protection or something? And you do understand that this is how browsers work in general, by downloading code, running, and forwarding data back to servers?
I believe Cyder was explaining his (and my) understanding of what this new Brave feature is trying to prevent. That is the kind of behavior that this feature is putting a stop to, localhost connections.