Accessing the nonce from JavaScript, makes all nonce based CSPs strict-dynamic (opens in new tab)

Stumbled upon this and seems like a security issue. Why do browser not block the access to the nonce attribute?