How so? I don't remember ever having seen issues with this. If anything CSP steers you towards this (instead of inline scripts directly assigning to JS variables)

I thought I knew but it seems that the CSP story is unclear. I couldn't find an authoritative source for either position

CSP blocks execution/inclusion, but since json does not execute and any json mimetype will not do execution there is no problem.

Any CSP-allowed other script can read that application/json script tag and decode it, but it is no different than reading any other data it has access to like any other html element or attribute.

That makes sense, thank you