Almost all Joomla 3 extensions and Joomla 3 itself will break when setting a Content-Security-Policy (CSP) header. Joomla 4 added CSP as an optional feature but be advised that most third party extensions will break. It took me over a month to revise the JS on all of our extensions to make it compatible with a strict CSP.
Since CSP requires passing a token that changes on each session to allow inline scripts and styles we cannot implement it in Admin Tools' .htaccess Maker. The content there is static. Moreover, it wouldn't be realistic to let you define exceptions in this case. The correct approach is what Joomla 4 is doing. So you won't see us implementing CSP as it'd be a duplication of an already good effort.
The Permissions Policy has similar challenges. It tells the browser which browser (HTML5) features your site needs to function. Moreover, you may restrict certain features to certain URLs only. For example, you may want to limit geolocation to a page which allows your user to submit their current location along with an urgent, location-specific support request (real world use case!). Because of its open-ended nature it makes no sense for us to implement in a UI. It is best constructed by hand and included in the bottom of the .htaccess.
Referrer policy CAN be changed in the .htaccess Maker, you just didn't do it, so the default is the unsafe option. For most sites strict-origin works fine. There are very few use cases where the Referer needs to pass the full URL to an external domain, e.g. if you are using a link tracker on a subdomain / external domain or some third party integrations. The only way to find out is to try and see.
Expect-CT is non-standard and has to do with the maximum TLS certificate lifetime being progressively reduced by browsers. You really don't have to worry about it. This is a flag header for some special use cases where a large company might sign its own certificates. Nothing that has to do with you or virtually all users of Admin Tools.
Do remember that the security headers exposed in .htaccess Maker are just those which make sense for the general population and which can be set to a static value in .htaccess. Specialty headers are not going to become .htaccess Maker options. As I said, CSP is best handled the way J4 will be handling it and the Permissions-Policy header is something you shouldn't mess with unless you know EXACTLY which browser features every single JavaScript file on your site needs. Otherwise you'll end up with inexplicable "bugs" in 3PD software which are not bugs, they are actually misconfigurations of your site.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!