As part of the effort to put CSP on all the things, as well as to help mitigate the risk of an XSS in the query service (like T233213), I think it would be prudent to adopt a CSP policy for WDQS.
Looking at query.wikidata.org, at first glance the GUI appears to be a fairly modern JS application that mostly avoids inline javascript - and where there is inline js (like in embed mode), it appears to be mostly static scripts. Anyways, i need to investigate a little more, but at first glance, it looks like it would be fairly easy to adopt a CSP policy that would increase the security of WDQS without any negative side effects.