Skimming the API docs on MDN, it makes sure the site vendor gets to run filtering code over anything you'd want to inject via e.g. user script or console, securing it with CSP. I expect this to make user scripts work as well as they do on Chrome now. If there's a workaround, I'd love to hear about it.

Oh just great. The web is bad enough already, I think I'll have to go live in the woods if userscripts get kneecapped

Worst case you just run your userscript before any policies are created, but in most cases it's not going to impact userscripts.