I can see your local web servers

When will software engineers finally understand that issues like these aren't problems with some random service you run on your computer, but with the (lack of) security model behind modern web browsing?

Modern web browsing provides for this with same-origin policy. Same-origin policy can be negated by the server if it sets an overly lax CORS directive.

So this is something that's secure by default, but can be broken if the "random service you run on your computer" decides to break it. I don't think that's an issue with the browser's security model.

Same-origin policy is not a security model. It's a ridiculous quarter century old hack. If you pause to think about it, domain names are a horrible way to delineate security boundaries on the web.

I disagree about domain names, but I don't think that's even relevant to this discussion.

Do you have some kind of security model in mind that would work better than same-origin policy in this case? I.e. cross-origin requests are still allowed to happen somehow, but users are still protected against random services intentionally disabling your security measures?

It is bloody obvious that when people spin something up on their local machines the do not intend to make those pages available to every website they visit. This by itself suggests that there should be a dedicated security context for such applications and that the restriction on information exchange should be based on that context. Not on some random thing the application does (like authentication, CSRF or sending CORS headers).

Scenarios like that should be the foundation of a sensible security model, not an afterthought achieved by applying layers and layers of security ducktape in every single instance.