Thanks. Especially the homakov post is enlightening, as it explains that removing the report-uri feature is not even enough to make this exploit impossible, as the onload/onerror events also signal success or failure.

Is there anything good that report-uri is used for that is more important than removing this exploit possibility?

Report URIs are pretty important for deploying CSP on an existing site. Without it, you'd have to risk breaking the experience for a lot of users (because it's hard to nail the policy on the first try) and you'd never get any logs explaining what was blocked.