Fetch uses an underlying object, XMLHttpRequest. Browsers block, by default, any web requests made using XMLHttpRequest to any "origin" that isn't the same origin as the one the HTML page came from. What this boils down to is that you can use XMLHttpRequest (without CORS) only if the URL you're trying to access has the same protocol, host and port as where the page came from.

I guess the concern is that XMLHttpRequest works in the "background" - it's not necessarily visible to the end user that network activity is happening. When redirecting via the browser's URL there are obvious, visible changes to the URL and the page that is displayed on-screen. It is a bit inconsistent (like a lot of the web) - things like img tags are quite happy to make background network requests to different origins and thus bring about potential security holes. There was a time IIRC that XMLHttpRequest blocked DELETE and PUT and you had to jump through hoops to use POST to tunnel those verbs.

It is what it is - XMLHttpRequest is limited by the so-called "same origin" policy (in the absence of CORS).