As mentioned in the other topic you started already (Allowance of Inline JavaScript poses a security risk), the script-src inline is only allowed for the /admin interface. That interface has no access to the passwords or keys or whatever.
The web-vault has no inline script-src enabled, and thus no issue.