Different authors and documents are considered part of the same domain since the tokens are just path elements. The whole IPFS gateway might be considered one big domain.
So javascript in an essay can access/put the API.
I didn't really look into it too much, just wanted to give a pointer that this might need to be considered. In the sense that it might have security implications.
No, you're right in this, if you have it enabled, any app can put stuff to your endpoint. The people of IPFS are working on fixing this problem, but I personally think that the risk is low enough. Maybe I'm just not creative enough in thinking about attacks, though.
So javascript in an essay can access/put the API.
I didn't really look into it too much, just wanted to give a pointer that this might need to be considered. In the sense that it might have security implications.