However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.
CORS allowed-origins settings don’t cause servers to block requests.
And because the server isn’t blocking the request, that doesn’t prevent you from opening the URL directly in a browser.
The same-origin policy is what imposes cross-origin restrictions, and the same-origin policy is only applied to frontend JavaScript in web applications running in a web browser, and using XHR or Fetch or jQuery $.ajax(…)
or whatever to make cross-origin requests.
So CORS isn’t a way to cause servers to block requests. And so it also isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent any non-web-application tools like curl
or Postman or whatever from accessing the URL.