Listening to “localhost” is kinda-okay because it is better than the threat as-described; however it opens up whole new vistas of threats associated with web software (especially Apache-related) which “trusts” localhost.
See this thread for details: https://twitter.com/AlecMuffett/status/922924914893398017
See this article for explanation:
Some dark web sites are unwittingly giving away their secret locations thanks to a basic configuration mistake that's…nakedsecurity.sophos.com
See this Github document for how to avoid this problem: