If you have any unauthenticated routes that you don't want arbitrary websites calling.
> using JWT in a typical SPA <-> API scenario.
Is this typical? It's a pretty horrible setup.
Cookies have a lot of great features that 'store a JWT in LocalStorage' just doesn't have.
This doesn't actually prevent arbitrary websites from calling them, it just makes it a tiny bit hard. They could always just proxy your endpoint and add the CORS headers.
I'm still interested in the original question: if you use localstorage for auth tokens and you have proper CSRF protection, what does allowing all CORS actually make you vulnerable to?