Uploads: Sandbox them in the CSP.
The currently applied CSP is meant to make it possible to run our frontends, but nothing should ever run from the uploaded media. This CSP sandboxes (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) all uploads, preventing attacks.