Bit of an unfair comparison there with csp on your website there. You cite the article that most csp policies are ineffective at preventing xss, but xss and data exfilitration are different things, and csp policies that are ineffective at blocking xss are often effective at blocking data exfiltration.