That would open them up to the very problem the change adresses.
Basically you set up a DNS to handle attack.example.com, then send a phising email to the victim.
When the victim accesses attack.example.com the DNS resolves to whatever IP the attacker uses, say 172.x.x.x.
The server responds with a flash or javascript payload. This payload probes the DNS until it returns attack.example.com → 127.0.0.1.
Now the malicious script is running in the browser and using “same origin” as localhost, and can thus access any http-based resource on your machine, including Duplicati run on localhost only.
The attack script can of course show whatever contents while it is working in the background, luring the user to wait until the attack completes.
By forcing the hostname to be explictly validated, the attacker needs to first guess what this is (if any are allowed) and seize control over that before the attack works.
Browsers are working to mitigate this issue by rejecting the low ttl setting, such that the IP for a hostname is fixed for the duration of the session after a lookup.
More info: