The org where I work has set a org level policy constraint of constraints/storage.publicAccessPrevention and my projects inherit that.
I'd like to server a bucket via a load balancer as a web site which I see as a fundamental functionality of a cloud provider and that I need.
What do I do to make that happen with my organization's misguided policies? Is there some way to have the load balancer have service agent? The drop down or bucket access sort of gives me the impression that it only wants "principles." I don't really want to setup a VM with an nginx or something similar to server the files from this bucket.
When you apply the publicAccessPrevention constraint on a resource, public access is restricted for all buckets and objects, both new and existing, under that resource.
The key item that your organization considered or should have considered is that this constraint should be enabled only if you never want public access.
Since there is no method to bypass a constraint, your only option is to provide public access via another method that can access the storage with authorization.
What do I do to make that happen with my organization's misguided policies?
Speak to your organization administrator and explain what you want to do. Otherwise, you are must accept their policy.
Is there some way to have the load balancer have service agent?
No, Google load balancers do not use service accounts.
I don't really want to setup a VM with an nginx or something similar to server the files from this bucket.
Nginx will not help you unless you copy the files from the bucket to the local file system or use FUSE. You will need to write a backend application that can process the content of the bucket and can either perform the access for the client (read from bucket, send data to client) or create Signed URLs or Signed Cookies so that the client can access the Cloud Storage object directly.
There is no simple solution to getting around this constraint. That is the purpose of preventing data leakage.