The intention in Timing-Allow-Origin (TAO) is to protect the timing it took to fetch the image. Not the content of the image.
The intention in protecting renderTime is to avoid exposing something about the content of the image.

With CORS images, one can anyway know everything about the image and doesn't need to decipher the content from render time.
While with TAO, it's the only place where it's used outside of the context of protecting fetch information.