Split from T286515#7235469:
Based on https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/477ea0f97c1d763582b76570882e530149dd8356/wmf-config/CommonSettings.php#4149 it looks like we avoid setting CSP headers for logged out users. Instead of checking this in a $wgExtensionFunctions, it should use a proper hook for this purpose or maybe a new core setting, like $wgEnableCSPForLoggedOut = false;