I think the main issue with the way observable sets up origin for code cell is that unlike the notebook itself, which has https://beta.observablehq.com origin, code cell frames are pinned to custom user static content.
See origin request header generated from a fetch() cell call:
Therefore, even if you have control over the server hosting a data API you’d like others to use on observable, you can’t simply add beta.observable.hq.com to the ‘Access-Control-Allow-Origin’ whitelist response header for all devs on this site to use your API without CORS proxies, unless you * for the public, which is not recommended
In fact, you can’t even use observable api itself, despite the fact that notebook document makes those requests for user info, collections, etc.
I put a short fetch.js notebook together to demonstrate this here (with links to specs and other fetch notebooks):