The currently applied CSP is meant to make it possible to run our frontends, but nothing should ever run from the uploaded media. This CSP sandboxes (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) all uploads, preventing attacks.