My understanding is that the same-origin policy needs to exist because browsers automatically send any cookies for bakery.com along with any request to bakery.com, including one that was initiated from evil.com. So if bakery.com uses cookies to tell if the user is logged in, a request from evil.com would come with the same cookies and would be seen as coming from the same logged-in user.
But say there's a website fancy.com that doesn't use cookies for authentication. Maybe it stores the user's password in localStorage and sends it as part of every request. Since evil.com can't access fancy.com's localStorage, it wouldn't know what password to send.
Another example I've seen of why the same-origin policy is necessary is if private.com only allows requests from within a local network. If someone within that network opens a page from evil.com, their browser could send a request to private.com that would be seen as originating from within that network.
Are those the only cases where cross-origin requests are a security risk? If promiscuous.com doesn't use cookies nor check the address that the request is coming from, is it always safe for that website to allow requests from any origin? If not, why not?