Is app_api request protected from CSRF attacks on CORS routes?

• I want to setup apps using app_api
• In CORSMiddleware.php, I see a comment like the below:

// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors

• I see in server/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php at 7442a88ac83f00051fbc8592c34819fa9d27764e · nextcloud/server · GitHub that the CSRF check is skipped when the session contains 'app_api' set to true

• For any other CORs request that doesn’t pass the BASIC auth requirement I see an error like CORS requires basic auth

• I want to setup and use the app_api apps but I want to confirm if skipping this check in the nextcloud codebase is safe. If so, why is it safe?

Why do you think it is not safe?

• ‘app_api’ session key is set only after AppAPIAuth check is valid (Authentication — AppAPI latest documentation) for the request from the ExApp, which we don’t need to secure from, as registered ExApp is trusted.
• ExApps doesn’t have session
• ExApps doesn’t work with cookies