The issue wasn't caused by the inclusion of jQuery, it was caused by injection of a script tag that loads Google Maps in one of the files. Linking JS from outside the (privileged) packaged app will cause CSP errors. Unfortunately we didn't properly articulate the nature of the issue, but emails have been sent and bugs have been filed.
You can see Jeena's app on Github:
The bit of CSP-violating code in question, for those interested, has since been removed:
Unfortunately, static analysis is a hard problem to solve (especially in JS) and the messages produced by the validator are quite noisy. We're working to improve that. Combine that with the mystic and unusual nature of the CSP and you've got a recipe for confusion and disappointment.
Again, the app was NOT rejected because it included jQuery. If you're building FXOS apps, please use your favorite JS libraries (as long as they don't violate the CSP!) and keep on hacking!
Edit: I should also note that while the validator DOES report potential CSP issues, they are only warnings. While an app will obviously be rejected for actually violating the CSP (i.e.: the app is broken), it won't be rejected for simply raising warnings. It should also be noted that your app can be rejected for using jQuery if you use it in a way that violates the CSP (e.g.: using JSONP, or parsing HTML that contains remote script tags). There are loads of docs in the Marketplace developer hub and on MDN that talk about this and explain why it's the case.
If anyone has questions or would like to know more, please hit Mozilla or myself up directly: email@example.com, @mattbasta, firstname.lastname@example.org
You're also welcome to check out the source for the validator:
On http://jquerymobile.com there is a tool which lets you make your own custom jQuery mobile which has everything you need and this tool also added this extra file which I never needed for my app anyway.
Sorry for causing so much confusion.