1. JS can send data anywhere, GET request, for example.
2. CORS is needed in order to allow the CLIENT (browser) to accept certain types of resources.
Traditionally, a browser can include images, iframes, scripts, and flash from other domains, but cannot use ajax or web fonts unless that domain is on the server's Access-Control-Allow-Origin list.
UPD: I will add, otherwise, judging by the comments, some people have a distorted idea of ​​​​CORS.
To begin with, it is worth understanding that cors is a way to bypass the same origin policy
Once upon a time, back in the days of win95, in order to complicate xss and phishing, Netscape introduced restrictions on scripts executed in the browser. A little later, other browsers also caught up.
If on the fingers, then it works like this: Vasily opened an online store "windows, balcony, cheap, without SMS" and inserted an iframe widget from PayPal, for example. And same origin protects this iframe, Vasya's scripts cannot affect its content.
The same thing in the other direction - the site has set itself the left informer in the iframe, and the scripts of this informer cannot affect the main site.
Sometimes there is a situation when you need to connect some resources from your own subdomains or from partner domains. And if you need access to those resources, you use cors to reverse the same origin.
In any case, cors is just additional headers returned by the server. They will not prevent "third parties" from gaining access to these resources. In extreme cases, they can be downloaded with wget.