Having a service accepting commands with no authorization is a vulnerability. If there are multiple users on the machine they can empty each other’s wallets.

Localhost is, to some extend, a trusted context.

Additionally this requires not having a password on your wallet.

In most cases, especially ones like this, that trust is misplaced and dangerous.

That's more fault of the browser to allow an untrusted context to access a trusted context while circumventing the usual protections (ie, CORS; SOP)

These ‘protections’ do not provide a ‘trusted context’ and cannot defend you from another user on the same computer.

Now your next mistake will be saying ‘but typically there’s only one user’ which is irrelevant because the system runs services as different users for isolation purposes and this vulnerability ignores this isolation.