According to the spec, Bookmarklets should actually be exempt from a site's CSP. The reason is that the user's preferences should take precedence over a site's preferences
And as far as I can tell, they should be. They're a natural intermediate step between nothing and extensions, and there's not really security problems they have that extensions don't.
If there's a problem here, it's that browsers (some, at least) aren't following the spec.
Yeah, what? I actually have a client that relies on these for some stuff I wrote for them, guess this means I'll have to rework it, but if they represent a security concern then I guess that's all there is to it
They don't represent any more of a security concern than an extension, or even a browser.
The real reason they'll stop working (if they do stop working) is that it would be extra work for browser vendors to maintain and "pfft, power users? what are those"
As others have noted, according to spec, it's not supposed to but in practice at least some browsers apply the CSP to them.
Something I'm not clear on is whether the CSP spec says it shouldn't apply to any bookmarklet or if it only shouldn't apply to bookmarklets that don't request resources from other domains. That is, CSP shouldn't prevent a bookmarklet's own code from doing things like adding/removing attributes to elements but if the bookmarklet tries to load other files (more JavaScript, CSS files, images, etc.) then the page's CSP should apply.
To me, if a browser extension can run, a bookmarklet should also be able to run; a difference is the bookmarklet will only run once when it's clicked and will always clear from memory when a new page is requested.
Both extensions and bookmarklets pose some risk to the user but it's a worthwhile trade-off. If bookmarklets started to become a problem (remote resources being replaced will malware), maybe restrictions would be necessary, like all links to remote resources requiring valid subresource integrity hashes.
A browser's built-in Reader Mode (Safari, Mac and mobile, Firefox, Edge's Immserive Reader, Chrome has one behind a feature flag) can be very helpful when they work. A better solution is probably one of the browser extensions, like Stylus [0], that enable not just a single user stylesheet but the ability to have custom stylesheet's on a per-domain basis. On top that personal customization, they can load stylesheets others have already created and shared on userstyles.org [1].
There's an open bug in Firefox about this (because it doesn't follow the spec): https://bugzilla.mozilla.org/show_bug.cgi?id=866522