Yup!
MDN has a nice explanation and examples.
The
'strict-dynamic'source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script
So, as long as the original script is trusted (via a nonce), the browser allows it to load any other scripts without restriction. And then, since those scripts are trusted, they can load more!
There is one caveat, which is that scripts cannot be ‘parser inserted’. This prevents strict-dynamic being exploited for XSS attacks.
So for example, this would be ‘parser inserted’ and would be blocked:
document.head.appendChild("<script src='https://example.com/xss-attempt.js' />");
But, constructing the script element programmatically does not involve HTML parsing, is much less likely to be an XSS vector, and so it’s allowed:
const script = document.createElement("script");
script.src = "https://example.com/script.js"
document.head.appendChild(script);
^^ this is essentially how loadScript() works