Inline handlers could execute trusted code without user input but in a way that was unintended like this button that hijacks a method of a trusted library and disguises it behind a like button:

  <button onclick="trustedLib.confirmDeleteAccount()">Like</button>

This should be sanitized when the button html is injected into the DOM but CSP provides complementary protection, [1], if sanitizing fails.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP...

edited: tried to fix formatting