CSP is harder to lock down for sites like fe.soapbox.pub whose purpose is to connect to arbitrary domains. I can at least limit js execution, but images cannot have limitations so it's good the browser restricts svg features in img tags.
I was thinking about exposing the media baseurl over the API and then having the ServiceWorker intercept fetch requests to that host, and drop any harmful content-types. Which is insane, but would offer an extra layer.