Very stable options
#extension-content-verification
This flag can be used to turn on verification that the contents of the files on disk for extensions from the webstore match what they're expected to be. The choice STRICT enforces a hash check. This option can not be turned off by software (to prevent tampering with by malware). Although not the same it can be compared with a signature check of normal programs (but it is a hash check for extensions in Chrome store).
#enable-permissions-blacklist
This requires you to have Chrome safe browsing feature enabled. URL-filtering is a numbers game, the more real users surfing or crawling the internet, the more URL's are collected. Chrome has because of ANdroid OS and its installed base of the browser the largest user base. When this setting is enabled visiting a website on the Google Chrome blacklist, will reduce permission in the browser (e.g. an ask or allow plug-ins to run code outside the sandbox, or use of camera will be turned into a no when enabling this setting).
Stable options
#enable-site-per-process
This security mode ensures that a website is rendered by a separate process. In this mode cross site iframes will be processes OOP (out of process) in it sown sandbox.These "strictly isolates" pages are never allowed to share a process with regular web pages, even when navigating in a single tab. This is generally acceptable from a compatibility perspective because no scripting is expected between normal pages and WebUI pages, and because these can never be loaded in subframes of unprivileged pages. With the current level of support for out-of-process iframes, Chrome can also keep web content out of privileged extension processes. There is a interesting read about this process (started in 2012)
Site Isolation - The Chromium Projects.
#enable-top-document-isolation
When you allow the enable-site-per-process feature, the number of renderer processes will grow with the number of websites opened in your browser. When Chrome uses a lot of renderer process it will automatically start to re-use processes. This sort of defeats the purpose of enable-site-per-process. This feature (enable-top-document-isolation) puts cross-site iframes in ONE separate process from the top document. In this mode, iframes from different third-party sites will be allowed to share a process. Historically, third party content such as ads and analytics used document.write to load script resources. So by grouping them together in one separate process you gain performance and keep resources available for others (e.g. for enable-site-per-process).
Could impactwebsites
#disallow-doc-written-script-loads
This blocks loading or cross-origin, parser-blocking scripts inserted via document.write in the main document. It was intended to be automatically enable on slow networks (e.g. 2G). Historically, third party content such as ads and analytics used document.write to load script resources. Despite support for asynchronous loading, websites still keep using document.write. This harms performance (and potentially also security). Since it is used by ads and analytics, any block generated by this feature probably don't have a negative impact anyway (unless you like to be tracked and read ads), therefore I have it enabled on all PC's.
#enable-framebusting-needs-sameorigin-or-usergesture
Don't permit an iframe to navigate the top level browsing context unless they are same-origin or the iframe is processing a user gesture. This was implemented with Chrome 56 but pulled back with chrome 57 after reported breakage. It might impacts some user verification/payment checks when doing online shopping. I have enabled it on my Asus Transformer, but disabled it on my wife's laptop and my desktop. When I do online banking or book flights and hotels (on travel) with my Asus everything seems to run fine (I am recognised and are allowed to finalize payment).
