Don't recommend trusted-types if CSP blocks scripts

[Seirdy]

If a CSP has script-src: none or equivalent to forbid script loading, or if it has a sandbox directive to forbid script execution, the CSP evaluator shouldn't recommend requires-trusted-types-for: script because there is no script execution happening in the first place.

[Seirdy]

I considered making this issue about skipping the trusted-types recommendation even if scripts are present if they don't mess with DOM XSS sinks. I decided against this because adding the necessary script parsing logic to the CSP Evaluator would complicate things.