If JSONP easily works around cross domain constraints, why do browsers even bother anymore?

Question 1

The reason is simple, it bases on TRUST. If there is no trust, you cannot do JSONP. For example: if domain abc.com does not trust def.com, abc.com just does not support JSONP and def.com cannot utilize JSONP (or CORS).

Both server and client have to trust each other for JSONP to work (including CORS)

The server trusts the client and supports JSONP (CORS)
The client trusts the server that the script returned from the server does not compromise javascript on the page. Because in order to use JSONP, the client loads the script and execute it using script tag => very dangerous.

When you implement your code, usually both domains are under your control and there is no harm doing that. In other cases, for example yourdomain.com and evil.com do not trust each other => browsers block cross-domain requests to ensure security.

JSONP easily works around cross domain constraints

No, you cannot always use JSONP. JSONP only works if there is trust between browser and server.

Question 2

JSONP does not work around cross domain constraints. Not at all.

Forget the term JSONP. It's just a <script> element, typically but not necessarily inserted into the DOM dynamically. Nothing more, nothing less.

It's always been possible to load <script> elements from any domain. There's no cross domain restriction on <script> elements.

And that's all JSONP is. It's just a convention for using a <script> element. It's not related in the slightest to any of the other cross-domain constraints, because it doesn't use the mechanism that is subject to those constraints.

Note that you can't just decide to use JSONP to access a JSON resource across domains. If the resource is pure JSON you won't be able to read it unless it's in the same domain or allows access via CORS. There's nothing you can do from the browser to change this. The server has to provide the resource as an executable script, i.e. JSONP.