Security is done in layers. CSP is a layer. You’re not going to suffer without it using a well-designed site but it certainly is nice to have. I build my sites now with CSP in mind and try to grant only what’s necessary.
Nevertheless, fox is right in that script elements are removed (both HTML tags and inline) from subscribed content. I have yet to see the current filter circumvented, but if someone finds a way, by all means notify fox responsibly so it can be addressed in an update.
Keep in mind that the only content you’re seeing is content you subscribe to. While there should be a measure of trust here we cannot be certain a site is not hacked so there is a sanitize method that cleans the content.
You can add a CSP policy. I would do it in the web server conf files along with the cross-origin, sniffing, etc. headers. With TT-RSS you are going to have to make it somewhat relaxed because of the way it has been designed.