CSRF can compromise the non-mutating path as well to exfiltrate data, but the mutating path and non-mutating are different, hence the OPTIONS preflight required prior to sending mutating requests.

The browser enforces the same-origin policy by preventing read on non-mutating (i.e. “simple”) request responses and preventing sending of mutating requests (i.e. non-“simple”). CORS provides a protocol for a service to loosen these controls.

> CORS doesn't block the underlying GET/POST request

It does block ALL requests for certain content types.

In the common cross origin case of a JSON API, CSRF beyond CORS is unnecessary.