You keep saying the thing about same-origin; I wonder how you think Google Analytics and similar services work, if sites can't send data to external services.
CSP headers won't ever reach the browser if the attacker has MITM, so they are irrelevant.
They work the same way in HTTPS as they do in HTTP. Same origin applies to the domain of asset reference. If you have CSP in place you must specify an exception for GA or it won't work.
If the attacker has MITM capabilities they can redirect the page to an untrusted location and bypass the valid server completely. MITM isn't typically limited to layer 7 unless the goal is to stand in the encrypted tunnel.
CSP headers won't ever reach the browser if the attacker has MITM, so they are irrelevant.