`sandbox` doesn’t affect making requests via HTML (images, stylesheets, etc.).
Right, but what would be the security impact of that compared to just plain HTML? I guess it allows for some form of view counting or IP exfiltration, but other than that anything you can do with an external request you could do with an embedded data URI.
As far as I understand CSP, since it’s set to `none`, no URIs are allowed, not even `data`. Inline scripts and stylesheets are not allowed either, since `unsafe-inline` (or nonces/hashes) is missing.