I had formed a loose memory at work of having had to install some kind of special software so that all of the .localhost hostnames would resolve for development, but it turns out that they are actually a special use domain name, per RFC 6761.

They have special treatment in curl and browsers, and have for years, resolving to loopback directly. In concert with a webserver like traefik that can perform routing, and mkcert to get a good local wildcard certificate, I can get a very realistic TLS-terminated web experience locally, which is a godsend when trying to develop things like passkey authentication.