This is consistent with expected behavior from my point of view. A bug in safari's controls would not infect the website. The site clearly sends a policy and safari clearly follows it. Perfectly sensible behavior.
Of course CSP does not allow a way to say -> browser controls are okay. Hence, a debate is quite welcome on whether such a specification is needed.
Secure boot is in no way bad :-) Ofcourse, it must in fact be the first point on any sane security checklist.
And one of the most common attacks aka. malicious firmware is prevented by using secure boot.
Many other classes of attacks like forcing the microcontroller to delete all its data, opening up the debug JTAG port of the microcontroller, preventing the log of certain security events etc. can be achieved with the right settings.
Though these are just remote possibilities with high levels of complexity, so is changing a production design of a board.
Of course CSP does not allow a way to say -> browser controls are okay. Hence, a debate is quite welcome on whether such a specification is needed.