Hey Andrew!
We've been kicking around the same idea recently, too. In our case, we landed on one good reason not to —
With a lot of our services, it does make sense for API clients to want to perform certain actions from a browser. But the API keys themselves are often privileged, and shouldn't be laying around on the client-side. Eventually, we plan to have a "public" API to wrap up the common services API clients want to use from a browser, with a "public" authentication mechanism — for that we'll enable CORS generally.
For request methods other than GET, POST and HEAD, that pre-flight malarkey should be all wrapped up in libraries. The tricky part iirc is browser support on older browsers.
-c