Agreed. There is not point disallowing the usage of the Launcher API directly. It has to make an interface available locally either way. But this post only focuses on the browser part of that equation anyways. For that disallowing localhost and only allowing api.safenet as you proposed in the safe launcher post sounds very good.
He is talking about allowing (locally run) Apps to directly connect to the launcher via an HTTP-request on specified port. If the Launcher would not react when asked for localhost but only if the hostname given in HTTP-Headers is api.safenet that creates an unneccessary burden in development (which makes it by no means any more secure). One way to implement this second way is to urge every app to use the launcher as their proxy and only connect to the API indirectly that way (rather than directly on localhost:PORT).
Did that clarify it?