Scripts injected via `eval` are allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.