1. Attacker installs zoom.
2. Attacker starts to join meeting foo.
3. zoom.us creates a signed request saying "join meeting foo" and gives it to Attaker.
4. Attacker takes that signed request and sends it from attacker.com to localhost inside Victim's browser.
5. Victim's zoom native app gets the request, validates the signature, and joins the meeting.
I think it can be modified to be safe if there's a key exchange between zoom.us and the native app, and zoom.us signs the key exchange with its private key. But this seems hugely overkill compared to a simple Origin check, or even compared to a traditional XSRF token (via a cookie on localhost).