For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.

There probably are some legitimate uses, but I'm straining to come up with them.

There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon)

I thought they did for resources and JS, which is why Meta have to use WebRTC instead?

I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?