The local server has to send Access-Control-Allow-Origin: * for this to work, right?
Are there any common local web servers or services that use that as the default? Not that it’s not concerning, just wondering.
No, simple requests [1] - such as a GET request, or a POST request with text/plain Content-Type - don't trigger a CORS preflight. The request is made, and the browser may block the requesting JS code from seeing the response if the necessary CORS response header is missing. But by that point the request had already been made. So if your local service has a GET endpoint like http://localhost:8080/launch_rockets, or a POST endpoint, that doesn't strictly validate the body Content-Type, then any website can trigger it.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/COR...
I was thinking in terms of response exfiltration, but yeah, better put that /launch_rockets endpoint behind some auth.