Yes, that is true of CORS in general. If the attacker can link to their own sites, they can do all kinds of things besides make you load font resources as well.
But that is also true wrt the first point in your original argument: http://lists.w3.org/Archives/Public/www-font/2009JulSep/0827.html
From: rocallahan@gmail.com [mailto:rocallahan@gmail.com] On Behalf Of Robert O'Callahan
Sent: Tuesday, May 04, 2010 1:30 PM
To: Levantovsky, Vladimir
Cc: Sylvain Galineau; Anne van Kesteren; public-webfonts-wg@w3.org; www-font@w3.org
Subject: Re: About using CORS
For what it's worth, I don't think this security argument holds much water. The attacker can always send Access-Control-Allow-Origin:* from their server to enable cross-site usage. The same-origin check may discourage authors from linking to other people's sites (which later get compromised or domain-stolen), thus providing some protection that way, but that's a very weak argument IMHO.
Rob
--
"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]