In accordance with what has been said on the launcher security topic:
I believe the usage of api.safnet is the better way to go, and disallowing localhost is a way to better enforce that. Agreeably, this breaks many current apps (including my very own Ghost in the Safe), but that means our apps are broken and should be fixed, rather than including that bad rule. I will see how I can make that happen for GitS soon, but I’ll not add that rule in the topic description as I recommend against it.