I would only use something like this that requires absolutely no authentication. For example, I had a one page app that showed me instantly when the next shuttle(s) were scheduled for my stop. Instead of having to click through multiple steps, this allowed me to see it in one step. As far as I know, I was the only user for this thing I built and put up on gitlab pages. I don't know exactly because I didn't bother to track who visited the page.
This is the way to go, you wouldn't want to use a CORS proxy for something authenticated/with credentials (e.g. API key). But for public unauthenticated request, they work just fine.
