Agreed, having the same issue. Adding the CSP into header code injection as a <meta> tag via:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
This makes the website builder area function crash and the website unusable, removing any visual information except for text and removes any functionality in terms of layout.
I was made aware of this via Pagespeed Insights (https://pagespeed.web.dev/).
Considering we would like our websites to be as safe as possible, this is a security concern.
What solution is available to us?