Listening to “localhost” is kinda-okay because it is better than the threat as-described; however it opens up whole new vistas of threats associated with web software (especially Apache-related) which “trusts” localhost.

See this thread for details: https://twitter.com/AlecMuffett/status/922924914893398017

See this article for explanation:

Basic error can reveal hidden dark web sites

See this Github document for how to avoid this problem:

https://github.com/alecmuffett/the-onion-diaries/blob/master/basic-production-onion-server.md