Modern linux security thinking is that any sort of code running inevitably leads to root privilege.
Put another way, any user can become root through privilege escalation, so access control is pointless, since any untrusted user can take over the machine.
The real unit of security is the whole OS (VM), not its internal user boundaries.
This kind of mindset exists but is not a consensus. And even if it became consensus, it would still take many, many years for most developers to stop using ssh forwarding with localhost listeners in a security reliant way.
Also, the loopback is used as a networking interconnect or guest->host channel for sandboxed containers and VMs, so it's security sensitive in this way.
Put another way, any user can become root through privilege escalation, so access control is pointless, since any untrusted user can take over the machine.
The real unit of security is the whole OS (VM), not its internal user boundaries.