HTTPS, code and binaries signing, etc all depend on the fact that getting a malicious message with a hash signature that collides with another arbitrary message is all but impossible. If you don't trust that, you're pretty much unable to trust anything that's transmitted over the 'net, and this potential hole is not significant in that context.
That's a fair point. But it still increases the attack surface for questionable gain. You're not just relying on the attacker being unable to create a hash collision. You're also relying on all browsers to provide a correct implementation of this code sharing mechanism.
Allowing this sort of code sharing provides another attack vector. If a malicious site is able to exploit a browser vulnerability that allows it to populate the shared cache, then you've suddenly enabled code injection on any site using subresource integrity.
