I don’t think that is correct, I have been working on this for a few days now and created several versions of the extension. Even one where it loads no cards and just shows a link. Every time I get the CSP error, despite even whitelisting the exact event URL and not just the root domain.
I also have other people testing different versions of the extension on their devices, and they are seeing the same behaviour.