See also github issue [The editor's draft includes several features that no one has shipped](https://github.com/w3c/webappsec-csp/issues/563), which doesn't have a clear decision on removing webrtc, but dveditz commented positively. Even after this is fixed, there would probably still be ways of exfiltrating data. E.g. I am not sure if WebTransport couldn't be used just like WebRTC.
Bug 1783489 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
See also github issue [The editor's draft includes several features that no one has shipped](https://github.com/w3c/webappsec-csp/issues/563), which doesn't have a clear decision on removing webrtc, but dveditz commented positively. Even after this is fixed, there would probably still be ways of exfiltrating data. E.g. I am not sure if WebTransport couldn't be used just like WebRTC. (Edit: Seems like WebTransport is covered by `connect-src`)