Since it does not go through Fetch, none of the security policies are applied to it. Seems wrong. Not entirely sure where the best general place would be to address this; filing this as a start.
I agree that this isn't ideal.
ISTM that it might be easiest to just have a "no-webrtc" directive, rather than trying to have fine-grained filters.
More and more sites are (ab)using WebRTC to pull data from remote servers through browsers with no obvious way for users to be informed about such connections to remote servers, and no mean to prevent these connections from happening on a per-site basis. I observe that such use is spreading fast. Example:
A no-webrtc directive would solve this.