I would absolutely advocate for re-adding X-Content-Type-Options: nosniff as long as we don't have a way to set headers directly in the Security Settings of Cloudron Apps (like we can with CSP headers). That header still provides meaningful protection against MIME-sniffing attacks and has widespread browser support.
Afaik, X-Permitted-Cross-Domain-Policies is still used by Acrobat (which is unfortunately far from dead), but I agree it's fair to remove it from the default configuration since it's an edge-case.