What do you mean? It's a way to mitigate a certain attack vector and as far as I can tell, it works as intended given the circumstances it was designed under.

Doesn't it help protect clients from malicious 3P JS?

At least so long as they don't have malicious extensions or a non-CORS browser?