I think this is what @sleevi was alluding to the other day on Twitter.

An attacker that is in control of canceling a "no-cors" fetch can influence how many bytes end up in the body. This might result in some crucial bit of the resource not ending up with the user.

Perhaps we should enforce Content-Length or some such and result in a network error in cases like this? Streaming doesn't work with "no-cors" (opaque) so that's less of a concern (though that has its own set of concerns).