According to https://w3c.github.io/webappsec-csp/#can-compile-strings, I have the impression that window.eval should be gated behind both the CSP of window's document and the CSP of the context calling the function.

In particular, if a parent document A without CSP has a same-origin child document B with CSP: script-src 'self', then calling parent.contentWindow.eval() from B should throw.

This does not seem to be the case in any of the major vendors, see
https://wpt.fyi/results/content-security-policy/unsafe-eval/eval-in-iframe.html?label=pr_head&max-count=1&pr=32898
which tests the PR web-platform-tests/wpt#32898.

Am I missing something here?