> how much of that JS is functional

Lots of sites become more functional with JS disabled.

I'm more curious how much of that js is intended to load more js that has been blocked (by the browser, adblocker, hosts file/DNS, etc).

CNN specifically isn't a site I visit much, but most news sites load a ton of third-party stuff (being on mobile makes it hard to check)

It is the web devs' responsibility to say no to bs. However, very few do, and some even welcome the bloat as a job guarantee.

This is not how the web works.

That's like asking any other software dev to "say no" to letting other programs run concurrent with their own. It's just not within scope and any attempts to have your program behave this way will be impossible to maintain.

If you're a business that wants to inject ads without anyone getting in the way, all you have to do is host the pages somewhere the dev can't touch. This would likely be a CDN or similar for a multitude of other good reasons. So the content security policy is now only configurable by the admin who really doesn't give a shit and doesn't even know what's being hosted on there.