Because CSAM is a serious issue, a really serious issue, I don't think ANYONE can take the risk of possibly publishing the actual URLs and scores (or even domains and score) publicly.... right?
Discussion
I haven't thought deeply on this, but yes, you certainly wouldn't post a list of URLs. Posting a list of hashes is still potentially a problem, but the bad guy would have to parse and hash every URL in every note on nostr, and compare against your list of hashes to make use of it. I don't know. Maybe there's extra data you could use to construct the hash that would make it more difficult to reverse?