there are so, so, so many ways to read this data back it's not even fun.

There are ways, but they generally need a cooperation of both sides of the inter-domain boundary. What you generally can't do is make arbitrary reads from the context of other domain (e.g. call GET on their api and read a result) into your domain without them explicitly allowing it.

Right. What you can sometimes do is observe the effects of the content being loaded, e.g. see the dimensions of an image element change when its content is loaded.

Is there some document somewhere that lists all the potential ways of doing stuff like this?

Yeah, https://xsleaks.dev tracks most of the known ways to leak cross-origin data.

oh hell yes. And oh yes iframes and postmessages, of course people would setup them incorrectly and even if they do some (probably not that important but still) data will leak if you're creative enough. Thanks for the link!