Doesn't it help protect clients from malicious 3P JS?

At least so long as they don't have malicious extensions or a non-CORS browser?