User agents (such as browser) apply same-origin restrictions to code execution in order to kept data in a location accessible only to the client and the user-agent.
To be clear, the browser (client) enforces the Same-Origin Policy (not the server). It is the browser's responsibility to honor the restrictions. If you make a programmatic HTTP client program, you will not get any problem with this policy.
The same-origin policy applies to network ajax requests.
By default, ajax requests that are
Important: A browser may freely performed cross-origin request for every embedded media resources type (such as image, …) in the web page.
These restrictions:
To remove this policy for cross-origin request, see What is Cross Origin Resource Sharing (CORS) ?
Data stored in the browser such as Web Storage (sessionStorage / localStorage) and IndexedDB are also subject to same origin policy and code from an origin may not see the data of another origin.
Cookie (in first place session cookie) are also subject to same origin policy but Cookies use a separate definition of origins, known as the What is a Cookie? (HTTP Set-Cookie Header ) where a page can set a cookie to be visible for its own domain or any parent domain.
with Site Isolation (ie process isolation), it’s much more difficult for a malicious website to use speculative side-channel attacks like Spectre to steal data from other sites.