There are a number of ways to trigger network requests from content scripts.
For HTML-based requests, the foundation was laid in bug 1415352.

But there are JS APIs that trigger requests that need to be accounted for too.
Currently, fetch/XMLHttpRequest/WebSocket in content scripts are tied to the ExpandedPrincipal, but I am about to change that for MV3 to address bug 1578405.

Another function that can trigger requests is the navigator.sendBeacon method. This is currently affected by the page's CSP.

We should find all ways that requests are sent through JS APIs, and ensure that the content script's CSP is applied instead of the web page's.

PS. There is a desire to move the CSP off the ExpandedPrincipal (bug 1548468), so it would be nice if the fix accounts for that.

The current behavior is vaguely documented at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#csp_for_content_scripts (for clarity, not because the behavior is fully intentional).

The docs refers to a comment in bug 1581611, which is already a dependency of the same meta-bug that is the parent of this bug (bug 1581608).