>it means that it's impossible to download public data from a web app without proxying it through your own server.
Maybe with a subdomain that points to the target website IP? If it supports HTTP and doesn't check the host header it should be fine. That's pretty exceptional these days though.
Edit: I just checked and a subdomain won't do it, it needs CORS as well.
It isn't. China is the best example that draconian identity verification / KYC processes don't stop scammers.