> Browsers enforce it, but it can be turned off and nobody expects it to be implemented by a simple REST client application.

No, you're missing the point. Normal people using normal browsers with default settings have CORS enabled. That's the vast majority of your users; everyone who disables it stupidly opts into a risk themselves without any reason to.

So the expectation that CORS is enabled on your user's devices holds. This means it's not a gentleman's agreement!