magento2 – csp_whitelist.xml for themes

Content security policies for custom modules can be added by setting up a csp_whitelist.xml file, i.e. app/code/Vendorname/Modulename/etc/cps_whitelist.xml, this is more or less excessively described in the docs.

However, the docs also mention

Configure CSPs for your custom code/extension/theme

Yet, I seem to be unable to get a working whitelist addition from within a custom theme, i.e. app/design/Vendorname/Themename/etc/cps_whitelist.xml?

etc/csp_whitelist.xml:

<?xml version="1.0" encoding="UTF-8"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
    <policies>
        <policy id="style-src">
            <values>
                <value id="fontsGoogleapisCom" type="host">fonts.googleapis.com</value>
            </values>
        </policy>
    </policies>
</csp_whitelist>

This very same whitelist is working and brings me the expected result when moved to a custom module (i.e. app/code/Vendorname/ThemenameCsp).

Am I supposed to create a custom-theme-related custom module just to allow my custom theme to load an external font? Seems a bit nasty to me if that’s actually the case.