> it’s meant to protect the users from themselves

This is false. It is meant to protect users from a confused-deputy attack made by malicious websites, where that website makes a request to a "serious" API but the user has never asked for, or approved, that request.

Blaming the user for everything that happens serves nobody.