I’ve noticed that a more detailed writeup is warranted! So I’ll be working on that.

CORS is enabled on lemmy, you have to send the ‘Origin’ header in order to get the Access-Control headers. Which allows cross-origin for simple requests. No added headers, cookies or other data. So all API calls are made in JS by your browser.