Thankfully, since then, Chrome and all other major browsers now ask the user for permission before letting websites send requests to localhost or any local IP addresses. Obviously some users may click through that, but it prevents the behavior from being invisible to the user at least, and gives them a way to say no.

https://developer.chrome.com/blog/local-network-access

PS: I still recommend never installing Meta apps on your phone.

PPS: There are legitimate uses of this functionality, so as a web dev I'm happy the functionality wasn't silently blocked. This gives an opportunity to explain to the user why the permission is needed if the use is legitimate. Would be nice if it could be further scoped though.