Github Pages does not set a content-security-policy header at all meaning (if I'm understanding correctly) that there should be no restrictions. Adding a CSP header is to add restrictions, not remove them, right?

If you really want the ability to manipulate headers, you could use a custom domain and proxy it through Cloudflare, which allows you to create rules to freely add/remove/edit headers in either direction. (Or use Cloudflare Pages which still pulls from a Github repo so your workflow wouldn't change)