How to externalize default inline script to prevent CSP script-src sha entry?

Question

An external library (Profitwell Retain (Paddle)) requires to add unsafe-inline to the CSP script-src entry.

The project's build index.html file (adapter static) contains an inline script

<script>
    {
        __sveltekit_yhu4zf = {
            base: new URL(".", location).pathname.slice(0, -1)
        };

        const element = document.currentScript.parentElement;

        const data = [null,null];

        Promise.all([
            import("./_app/immutable/entry/start.CRoheQks.js"),
            import("./_app/immutable/entry/app.0VxaVNPP.js")
        ]).then(([kit, app]) => {
            kit.start(app, element, {
                node_ids: [0, 3],
                data,
                form: null,
                error: null
            });
        });
    }
</script>

and the corresponding sha hash is added to the CSP script-src which prevents the external library from functioning correctly since, as the error says, Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

This (rather old) open issue indicates there is no official option to externalize the script. Is there any practicable workaround to solve this or is removing the script-src entry altogether the only solution to this at the moment?

Edit: I just realised that when the script-src is not defined in the svelte.config it will be added automatically, so I guess it's removing the CSP altogether if there is no way to prevent the SvelteKit inline script and sha creation.

---

(Is there a technical reason for the external library to require the 'unsafe-inline' or could this be prevented in principle?)