Comment by Spivak

Huh? I have this permission in Firefox right now. It looks like Safari handles this with the OS local network permission.

True I did assume machines are single user, I haven't seen a shared computer in ages. Doing local development I have insecure/incomplete software listening on localhost all the time while developing it. And lots of people have passwordless sudo, or unprivileged access to the docker socket so protection against local processes running as me is not part of my threat model. And I know this is pretty dev centric but OpenCode is dev centric as well.