Hello
Some user need to allow CORS (Cross-origin resource sharing) to be able sharing data with external in-browser application (like observablehq.com). Many software make CORS settings available to administrator level.
But it will be fairest to let the user choose, isn’t it ?
I’ve opened the issue CORS setting at user level · Issue #30964 · nextcloud/server · GitHub which you can add a 
Regards & cheers 