That's like asking any other software dev to "say no" to letting other programs run concurrent with their own. It's just not within scope and any attempts to have your program behave this way will be impossible to maintain.

If you're a business that wants to inject ads without anyone getting in the way, all you have to do is host the pages somewhere the dev can't touch. This would likely be a CDN or similar for a multitude of other good reasons. So the content security policy is now only configurable by the admin who really doesn't give a shit and doesn't even know what's being hosted on there.