Importantly it only prevents clients that actually cares about the cors headers. Like ohh I'm from hacker.org and the http headers says it only allows zoom.us ohh nooooo. Like it's just a http header! Now if you use a mainstream browsers and you accidentally visits hacker.org in a iframe at some shady site - then the cors header will prevent your browser from accessing it.
It is widely assumed by users that web browsing is safe.
If a browser does not implement CORS protections (but allows cross-origin requests), then its users must have non-standard expectations about security.