Enabling CORS will explicitly loosen the security protections that are provided in a browser based environment.
By its very nature, it makes the data you have stored in elasticsearch available in more contexts. A naive configuration of CORS would allow any websites to query your data. A more considered configuration may be secure depending on your environment.
It is impossible for us to perform that risk assessment on your behalf. CORS is disabled by default because that is the only reliable secure setting, but if you are careful and make well-considered choices when enabling CORS, that can be secure as well.
We do not generally recommend that approach. If this is a private network, then you can make it work, but we would discourage it.