I need the www because of backlinks and SE indexing. When I have the time I’ll turn it off in the Web Panel and rewrite it in htaccess to see if that makes a difference.
Another indication the www may be the culprit is the Strict-Transport-Security header isn’t working properly either according to one of the security testing tools, blaming sub-domain is not config’d properly. Since I do not use any sub-domains on this account, it must be the www.
The other sites, where the basic CSP is working, are hosted all over. A couple at hetzner.de and one at OVH. These are not my sites, just some work I’ve done for site owners.