[lvh]

TL;DR: a terrifying amount of sites legitimately end up using these unsafe features without realizing it.

The spec revisions are a little arduous, but in my experience the biggest problem is that any site big enough to start caring about CSP is also big enough to have a myriad of trackers and JS snippets that insist on using these unsafe features. Google Tag Manager might as well have been based on weaponized XSS payloads.

And now the technical problem is actually a human problem because some poor security schmuck has to convince a totally different team with a totally different reporting structure (those trackers likely go up into sales or marketing, possibly some random SEO contractor you've barely heard of!) to prioritize a pretty fundamental change.

Maybe the security person tries to walk up their reporting chain until the two converge, possibly at the CEO. But it sure sounds like you're trying to kill a feature for intangible goals (it may or may not prevent an XSS vuln, you say?). And the team that owns the feature will tell you they can directly attribute growth to the visibility they get from that feature.

Even when it isn't SEO's fault, a lot of sites legitimately use inline scripts in order to shovel some server-side JSON into the rendered HTML quickly where eventually some JS can access it for example. You can use DOM elements with data attributes, but that's probably not how it works today because that's not the obvious way to do it.