To explain your error a bit less facetiously, the point my sibling is making is that SOP is the default policy, which is maximally restrictive. CORS is a technology used to relax SOP, to make it less restrictive.

So it is not CORS that protects, since it restricts nothing, but SOP (potentially relaxed by CORS).