Not all crons run in CLI mode. You can't run in CLI mode if you want to give users the ability to use external cronjob services unless you use a script which is called by the external service by HTTP to start a shell script.
which completly defeats the idea of CSRF
So, you are saying that those who are not able to run crons by calling a shell script (shared hosting) should not be able to run Roundcube and its plugins? As far as I understand CSFR it should prevent POST and AJAX-Requests from not authorized sources and nothing else. Why do you have concerns to run HTTP based cronjobs? Of course there are IP or authorization token checks. I didn't say that Devs should disable security features.