I read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS and I wonder what or who that should protect. If you start Chrome for example in a mode without security restrictions it calls all the APIs on the other domain without preflight and whatsoever. This means a naughty guy can get around this very easily. I don't see how this should protect the owner of a server application, the owner of such an application can have an authentication to protect its site. So what is the scenario who gets protected?

It's not the owner of the service that gets protected, it's the user.

If you as a user are logged into application A, without CORS protection, application B can make requests on behalf of the user on application A.

This is extremely dangerous for the user and their data.