I can understand how it would work with someone injecting then linking an external JS file for example, but what about just straight up scripting in the script tags? You can't tell if it's from another source.
CSP does protect against this by default. As you said it's hard to tell the true origin of such content to CSP solves this by forbidding inline scripts (including things like onclick="" attributes) by default. There are only two ways to use an inline script: Specifying 'unsafe-inline' which disables the protection. Or by specifying a nonce or hash to whitelist a particular inline script.
It is noteworthy that at the time of this writing (August 2015) not all browsers support the nonce and hash method of whitelisting inline scripts, so that may cause undesirable behavior in browsers that aren't ready for CSP level 2.