This has already happened. A technique called DNS Rebinding has made it possible for remote websites to issue connections to your localhost (which should not normally be be allowed) for the last 15 years or so. As a result, it is a security vulnerability to web serve on localhost without checking the Origin: header or having the connecting browser prove that it's local by reading a token from disk and using it to authenticate.
(And whether it's a severe vulnerability depends on what the web server provides. In many cases, this has been "RCE on your machine".)
(And whether it's a severe vulnerability depends on what the web server provides. In many cases, this has been "RCE on your machine".)
Here's an example from 2018: https://bugs.chromium.org/p/project-zero/issues/detail?id=14...