This is the big one.

Lots of sites have marketing departments which like to switch out their advertising, engagement, A/B testing, etc. code on a regular basis. Which in turn requires either changing the CSP frequently to accommodate, or else opening holes in the CSP to allow marketing to just copy/paste inline JS and other badness. At which point it's hard to justify CSP.

This has been my feature work for the past couple months (I work on an enterprise site builder, basically, with some users doing what you describe -- we need to support that but hopefully with a smaller/harder to misfire footgun). There's a lot of feature complexity even after you've simplified it down, and it's kind of maddening how much effort it is to just send an extra (correct for the context) string in the response headers.

The spec versions are interesting to read too, as well as browser compatibility. Differences in interpretation of the spec lead to github issues which lead to browsers fixing things in the past few months that have been part of the spec for much longer. (And if you have a big chunk of IE11 users, "what's the point" is valid.) An example of a spec issue is that I'm working on adding an endpoint for the report-uri directive so we can log some metrics but the first thing you see when reading about report-uri is that it's been deprecated in favor of report-to, but literally no stable browser release supports report-to yet.

It's also not really enough. https://github.com/tc39/proposal-frozen-realms is a useful extension, since it would allow frameworks to do what they need to set up everything but then lock down objects from further extension/abuse...