This has already happened. A technique called DNS Rebinding has made it possible for remote websites to issue connections to your localhost (which should not normally be be allowed) for the last 15 years or so. As a result, it is a security vulnerability to web serve on localhost without checking the Origin: header or having the connecting browser prove that it's local by reading a token from disk and using it to authenticate.
(And whether it's a severe vulnerability depends on what the web server provides. In many cases, this has been "RCE on your machine".)
Most OS in use have multi-user security models, these days mostly used to compartmentalize system components and service accounts. Lots of vulnerabilities come from cutting corners here.
