How is AMP-Same-Origin: true even remotely secure?

in the AMP Docs, the following snippet is given:

If the Origin header is set:

  1. If the origin does not match one of the following values, stop and return an error response:

    • <publisher's domain>.cdn.ampproject.org

    • the publisher’s origin (aka yours)

      where * represents a wildcard match, and not an actual asterisk ( * ).

  2. Otherwise, process the request.

If the Origin header is NOT set:

  1. Verify that the request contains the AMP-Same-Origin: true header. If the request does not contain this header, stop and return an error response.
  2. Otherwise, process the request.

What I don’t understand is how the AMP-Same-Origin header provides a form of security.

TLDR:

Couldn’t anyone provide an AMP-Same-Origin: true header in a browser missing the Origin header and skip CSRF protection even if it’s not on a trusted AMP CDN?