Can I use Argon2 to encrypt data?

Normally I use Argon2 to generate an encryption key, and then use AES to encrypt data with that key. Can I just set the hash size to be equal to the data size, set the associated data to a random value, and then just use Xor on the Argon2 output to encrypt/decrypt the data instead? Or are there some cryptographic properties that make it insecure to use it this way?

If you look at the pseudo-code of Argon2 you'll find that it creates the "tag" at the end of the function:

 return Hash(C, tagLength)

The tag itself is just a hash. For Argon2, the Hash call uses Blake2b to create a hash function with configurable output size as the call above implies. For larger output it uses the initial Blake2b hash as starting point and then iteratively creates the follow-up blocks by rehashing the material.

Obviously it would be problematic if all the blocks would be output as that would mean that anybody could reconstruct all the bits if they new the first block. Fortunately Argon2 outputs only 32 out of the 64 bytes produced for each block, leaving 256 bits to remain unknown. This also means that you'd require two calls to Blake2b instead of one, halving the maximum performance that you would expect. Clearly this wasn't designed for maximum speed. Note that the digestSize - the length of the output - is also included in the initial call to Blake2b, meaning that you'll have to know the key stream size in advance.

So is it secure? Well, there are distinguishers for reduced round Blake2 but those are not practical, and it is unlikely that a quantum computer will break the algorithm any time soon. Keeping 256 bits out of each block unknown seems fine as well.

So yes, in principle you could use it to encrypt using XOR. Argon2 also has a limit of $2^{32}$ bytes, so going over 4 GiB is not possible. using a fast authenticated (stream) cipher should definitely be preferable.