Cross-origin requests pose a security risk because an application able to make requests to a third-party site is able to act on behalf of a user of that site, due to the fact that, if a user is logged into that site, the browser will send those requests with the cookies it has for that third-party site. Merely sending a request, without any included “proof” that it comes from any user at all, poses no security risk unless the site on the receiving end is handling user logins by the client’s IP address or something. The proposal made here is for STATELESS requests, as in, requests made without cookies or any other form of state a website might use to authenticate a user’s browser (to show that they are logged in).
CORS is necessary because, by sending requests authenticated as coming from the user by way of some sort of state sent in the request (saved from an existing, legitimate login), a malicious site could impersonate a legitimate one when dealing with the legitimate site’s backend. If that state is not present in the request, then simply making a request to the legitimate server from a malicious application does not pose any security risk I can think of. The fact that it’s done from the same browser that’s used for legitimate logins doesn’t mean the malicious request would have any way of proving itself to be legitimate. The session ID still isn’t there.