What legitimate use do those onerror / onload callbacks have... that seems like the kind of thing that should be restricted to same origin!

Similarly to CSP, onload and onerror are not the only ways to pull it off. The effect of successfully or unsuccessfully loading images or scripts can be usually inferred without that; for example, images have dimensions that, even if you take away the ability to read them directly, can be inferred from the changes to the layout of the nearby elements.

I've seen it used for fallbacks when loading resources hosted on a CDN.