TL;DR The Google developer documentation includes CSP examples which use domain wildcards (which have been widely cut & pasted), and additionally there are numerous endpoints within the Google eTLDs which are vulnerable to Javascript XSS. These can be combined into an effective attack against any domain with an HTML injection vector that would be otherwise unexploitable.
Oh dear. ;)
<script src=https://www.google.com/complete/search?client=firefox&q=why&jsonp=%28alert%281%29%29></script>
"they have updated the CSP documentation so that it no longer has the wildcards": which documentation? For maps, they still show the wilcards