i thought it was prevented by standard browser cross-domain security checks. Thats why I'm so surprised.

Requests that need a CORS preflight will fail with any browser from the last 20 years, yes. The private IP addresses are not any more vulnerable than `www.google.com` is from `www.notgoogle.com` for cross-origin policy (subdomain-sensitive policies have a small extra vulnerability). But you’re right that doing this kind of thing without nefarious intent is an insane edge case and it should be opt-in. People spray `Access-Control-Allow-Origin: *` like it’s DDT in the 50s and half ass security in general when it’s on an intranet, so an extra guardrail is still worth it.