Can a sandbox applied on a same origin iframe using CSP Header with allow-same-origin be bypassed?

I have an iframe on my web app which I want to sandbox to prevent things like opening of popups, etc. But I also want to allow-same-origin on it for some reasons. So the sandbox attributes I want to apply are: allow-scripts allow-forms allow-same-origin. The ifame is of the same origin as its parent.

Now, if I apply the sandbox using the iframe's sandbox attribute, I know that it can be bypassed by removing the sandbox attribute from the iframe by accessing the parent's DOM.

But what if I apply the sandbox using the sandbox CSP directive. I deliver the CSP using an HTTP Header. Can it be bypassed?