What is the purpose of a CORS whitelist?

I have a GraphQL API that has CORS enabled and I have an array of valid origins, urls where client side requests can make requests to the API.

app.use(cors({
  origin: ["https://example.com"],
  optionsSuccessStatus: 200
}))

What is the real purpose of blocking origins? Because this is an API any server can talk directly to this API. This really only prevents / limits clients from accessing the API.

If it's important at all to actually have a real whitelist, my question is should I allow http protocols, because http protocols can be easily spoofed / phished.

1. What's the main downside or security venerability for allowing any origin (*) to a CORS enabled API?
2. Should a CORS whitelist domain ever support http origins?

To answer your first question, When you use the * you are allowing anyone one and every website to make request to your API.

For your second question use your own discretion but ask your self:

Will there be a lot of traffic on your website?
Why would someone want access to my API?
Do i have any routes that can cause harm to myself/company?