Adding one comment to clarify - We've determined that this issue may not be specific to content fragments. Rather, the Rich Text Editor feature used within content fragments may be what's triggering the XSS scan.
How would (relatively) non-technical users input their CSS to client libs? Wouldn't that require access to our AEM project? The HTML/CSS is being written by people that just have author access to the content fragments and is generally very diverse in contents.
I'm sorry, could you explain a bit more what you mean? We aren't using any internal CSS referencing, unless I'm misunderstanding your question. The stylesheet is all inline.