I have read that there is no need for CSRF on GET requests since they are considered safe.
However one scenario I can think of is an attack like this:
<img src="https://otherdomain.com/logout" />
This would be bad without CSRF. Of course, one could require the logout route to require post, but I often see it implemented as a simple href.
Furthermore, why are GETs safe at all? They still leak the data in the response...
It's a write-only attack. From the OWASP page on CSRF:
CSRF attacks target functionality that causes a state change on the server, such as changing the victim's email address or password, or purchasing something. Forcing the victim to retrieve data doesn't benefit an attacker because the attacker doesn't receive the response, the victim does. As such, CSRF attacks target state-changing requests.
As long as GET requests don't change state, they are of no value to the hacker.
I suppose the logout example you provided could pose an inconvenience to a user, but there is no actual harm and no actual benefit to the hacker.