XSS and CSP "default-src https:" inconsistency in web_security.md

[polybuildr]

web_security.md says:

• Aiming for default-src https: is a great first goal, as it disables inline code and requires https.
• For existing websites with large codebases that would require too much work to disable inline scripts, default-src https: 'unsafe-inline' is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.

This implied to me that default-src https: did provide XSS protection but if you instead use default-src https: 'unsafe-inline', you lose this XSS protection.

However, later in the same document:

# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https
# Note that this does not provide any XSS protection
Content-Security-Policy: default-src https:

This seems inconsistent to me. If I understood the docs correctly, the code snippet should not say "Note that this does not provide any XSS protection".

Edit: After reading through the docs a bit more, I guess even default-src https: does not provide XSS protection because an attacker could inject a <script> with a src to their own https:// link through some other vulnerability? If my updated understanding is correct, then perhaps the earlier reference to XSS protection should be moved up a bullet point?