There used to be a way that made it possible for CSS to embed local files
Unfortunately that also made if possible for an attacker to read the content of other files, if some code would be embedded in a website, that a user would load via an iframe.
CVE-2023-2110 if you are curious about the details