Why are there .headers files here for the .mjs scripts?

Because ../getter-sandboxed-iframe.sub.https.html is testing an opaque origin, which is cross-origin with these scripts. Since <script type="module"> respects the same-origin policy, we need CORS headers to allow them to be accessed.