After thinking more, the main issue I see with serving media over an IPFS gateway is the content-type header. The gateway tries to guess, and it could return application/javascript. Of course serving on a subdomain with CSP solves it, but it's not layered security. Need to solve that.