Kind of. As I explained in my sibling comment at https://news.ycombinator.com/item?id=26801359 , it really exists because people (e.g. intranet administrators) expose resources based on your network status or IP addresses. I think this is a bit more general than specifically VPNs.

If it wasn't for that, then yeah, we could just strip cookies/client certs/etc. from cross-origin requests and they'd be safe.