After discussing with @antoniomika we decided to keep as-is. From IRC:
antoniomika: Currently we have it set where if you're using a custom domain, the CSP doesn't get set. Which honestly, I think is the right way of doing this. That way, anyone using a pico domain has to abide by a strict csp (which would prevent people using us directly for scripting), but they can with their own domain.
After discussing with @antoniomika we decided to keep as-is. From IRC: