As a plugin developer, I want a safe place to publish static assets
Well, yes, but also we want admins to stop recklessly disabling CSP because of the many things that inevitably break when it is enabled and for which Googling the error message gives you bad advice.
I'd imagine we should try to support all the listed suggestions from Jesse Glick
Maybe I should clarify: the list is in order from easiest to configure to hardest to configure (in general). So if it is seems that merely having a nonequal host suffices for protection, then https://static.dev.mycorp.com/ would be the most attractive option as it only requires that your DNS grant for Jenkins accepts wildcards, which it may already. The code in Jenkins need not care at all which host you choose, but we need to have a canonical recommendation for the reverse proxy that is likely to be implementable.
Any directory browser that requires authentication
See above. Daniel Beck and I are both assuming that the feature is fully usable when the DirectoryBrowserSupport.owner is accessible only to certain authenticated users, because the static “site” is serving content only from specially constructed URLs that encode sufficient credentials. See for example what GitHub does when showing a Raw link for a file in a private repository.