Tom do you have any thoughts on these bugs, or can you help triage?

I'm not clear on any practical consequences here since script shouldn't be running on the preview with the imported resources, and the user generally wouldn't see it. It might not really be a bug, although I don't know why these resources would load in this case.

Is this a dupe of  issue 860856 ? It's not clear to me whether there's any difference.

There doesn't seem to be any meaningful difference.

This issue differs from the other one in that it applies to any images (and only images) that a web page tries to load while the DevTools Network panel is open. The other issue is with pages displayed as request previews. I thought they seemed like separate issues that likely had separate causes.
The CSP isn't necessarily meant to apply to the DevTools, so maybe it isn't really a bug. However, I was surprised to discover that when the DevTools reports that an image was blocked by the CSP, it requests that image to show a thumbnail of what was blocked. If the thumbnail is a blank image or corrupt image, it isn't obvious to the user that a thumbnail was downloaded.
A possible (though unlikely) scenario is that a user with the DevTools open sees that an image request exfiltrating sensitive data was blocked by the CSP. The (blocked:csp) status could lead the user to believe their data is safe, though the open DevTools Network panel actually causes the request to be made.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot