CORS seems to be the Offside rule of the webdev world.

I wonder if much of that misunderstanding comes from the threat model being quite unusual and not always easy to understand.

For starters, there are three parties, which all don't trust each other: The server, the browser and the JavaScript running inside the browser.

The browser is supposed to protect the server against requests from unauthorized JavaScript applications. CORS is there to mark certain requests as "authorized", while keeping the protection active for the rest.

But the entire system only works if those three components exist in the first place, as enforcement is solely relying on the browser.