> Local network devices are protected from random websites by CORS

C'mon. We all know that 99% of the time, Access-Control-Allow-Origin is set to * and not to the specific IP of the web service.

Also, CORS is not in the control of the user while the proposal is. And that's a huge difference.