In order to create short URLs for queries, query.wikidata.org needs to be able to send authenticated API requests (action=shortenurl) to some production wiki (Wikidata or Meta would be appropriate, but the config is probably the same for all wikis anyways). This shouldn’t be a security problem because query.wikidata.org only runs trusted JavaScript code.
That said, I’m not sure if the Wikidata Query UI code ever actually went through security review (it seems T105196 only covered the server-side parts), and apparently T108101 explicitly disabled CORS for this domain, so I’m not sure how trivial this request is.