> it’s meant to protect the users from themselves

This is false. It is meant to protect users from a confused-deputy attack made by malicious websites, where that website makes a request to a "serious" API but the user has never asked for, or approved, that request.

Blaming the user for everything that happens serves nobody.

Isn't it arguably the opposite?

A CORS header in the response tells your browser to relax CORS restrictions.

Like the sibling said: CORS is the relaxation of default security features. It's even in the name: Cross-Origin Resource Sharing.