These directives would allow embedding only from the specific origin https://domain.tld and should be much safer:
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' https://domain.tld; script-src 'self' cdn.rudderlabs.com cdn.segment.com/analytics.js/";
I’m not a security expert but I guess this should be safe for production as well.