Unless you can influence an organisation at a pretty high level it is often impossible to write a useful CSP.
To take a really degenerate example, media sites tend to have so many third-party JS integrations (maps, multiple analytics providers, ad systems etc etc) that you can't write a useful, security-improving CSP :/
Which means talking to marketing about their preferred analytics tool, asking the business if they really want these ad networks etc etc.