Adding localhost as an allowed origin in the backend code is not less secure.
CORs is designed as an additional layer of authorization which weakens read access to resources between and within browsers. Using an alternative technology like native HTTP calls bypasses all the security protocols provided by the web browser (eg CORS, CSP) and still leaves you open to XSS (Cross Site Scripting Attacks).
CORS is designed to prevent other websites (within the browser context only) using your APIs. It's worth noting that this is for a browser context only, you can simple call your API from an application, there is no security here. It just a restriction on resource sharing with browsers that prevents read access to a resource (which also happens to prevent a form of cross site scripting (XSS) attack using cookies).
Having given the concept that CORS does not provide any additional security when talking about API access, this means that that allowing a particular domain like localhost does not make your API less secure.
What about XSS?
Some good links for research: