Well, it's easy to "not trust yourself" when you have user-submittable content that you display for other users. Sure, one should absolutely sanitize it, but layered security is important.

> CORS is threat model used for when you can't trust your self.

No. But many lack basic understanding of web technologies or facts like that a browser can be used to access more than a single site. This leads to not understanding what problems cross-site requests can cause and thus the impossibility of understanding what CORS is for.

Eh, or maybe you landed on a malicious site or clicked on a malicious phishing link which opened your browser