The user chose to run an unauthenticated service on localhost. Anything on localhost (eg a browser) can access it without authentication.

The vulnerability is allowing the service to run without authentication.

Yes, the same-origin policy is just meant to prevent one website from accessing/using the cookies of another website. It is not designed to prevent web applications from accessing network resources.

This is not how I understood OP - victim just happens to visit attacker.com, everything else is up to attacker. Or am I missing something?

The victim needs to be running a local geth node(with his wallet unlocked for hacker to actually steal funds) which will give the attacker the wallet addresses atleast.

Having a service accepting commands with no authorization is a vulnerability. If there are multiple users on the machine they can empty each other’s wallets.

Localhost is, to some extend, a trusted context.

Additionally this requires not having a password on your wallet.

In most cases, especially ones like this, that trust is misplaced and dangerous.

That's more fault of the browser to allow an untrusted context to access a trusted context while circumventing the usual protections (ie, CORS; SOP)

These ‘protections’ do not provide a ‘trusted context’ and cannot defend you from another user on the same computer.

Now your next mistake will be saying ‘but typically there’s only one user’ which is irrelevant because the system runs services as different users for isolation purposes and this vulnerability ignores this isolation.