Content Security Policy: Is data: applied to all items in the img-src source list?

I've got a content security policy and I'm trying to determine if I can allow data images, such as base 64 encoded PNG's (CSS code), to just 'self' or if it must apply to all sources in the list. I can't find any documentation that tells me what data: is applied to. I assume then it's applied to the entire source list. Can anyone confirm?

img-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ajax.googleapis.com https://www.google-analytics.com https://www.googletagmanager.com data:;

I'm also trying to determine if there is any security concerns with this img-src. Thank you for any comments.

'self' and data: are both values. Neither apply to each other. Both apply to directives (in this case img-src).

Images are typically not a security threat by themselves, particularly when they are loaded as data: in an allowlisted CSS file. It could be a way to smuggle a script, but images don't carry the same risk.

Images could potentially carry malicious content, but the main reason to restrict img-src would be to prevent data exfiltration in image URLs. This would not apply to the data scheme.