In https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig eval is used to evaluate embedded scripts, but this is the only place in Symfony it is needed. Refactoring this would get rid of eval and would allow users to use very strong, very secure Content-Security-Policies.
As noted in #27525 eval cannot be allowed via nonce and allowing it only when the profiler is active is not desirable because other violations may not be noticed because of it.