Blocking/allowlisting all JavaScript is the only way [1] to have a CSP fully contain an app (no exfiltration) [2] and with prefetch that might not be enough. The author is correct at the end to suggest using WebAssembly. (Also, it still has the issue of clicking links, which can be limited to certain domains or even data: by wrapping the untrusted code in an iframe and using child-src on the parent of the iframe)
1: https://github.com/w3c/webappsec/issues/656#issuecomment-246...
I didn't realize you could use CSP for preventing exhilaration now! How did they close the WebRTC loopholes?
They haven't. That in the spec stops short of actually saying that it will stop all exfiltration. What it will do is make it harder because you'd have to put the data in a subdomain or in a username/password. It also could make it hard to deny that an attempt to exfiltrate was deliberate.