Specs are wrong sometimes, and I think there's an argument to be made that the spec is wrong here. Firefox's policy re: bookmarklets on CSP sites is probably the best choice for protecting ordinary computer users, bookmarklets and javascript: urls are a common attack vector for targeting high-value websites like discord, slack and gmail (with the caveat that browsers have slowly locked down those attacks). Just open the developer console on discord sometime, they show an enormous message telling you not to paste stuff in there.
I do think it would be worthwhile to have some sort of power user mode to override that for bookmarklets, but I can understand not wanting to invest resources in building it.
I do think it would be worthwhile to have some sort of power user mode to override that for bookmarklets, but I can understand not wanting to invest resources in building it.