So I think it's probably best to look at this as a user interface testbed -- basically a test of how annoying or effective it would be if browsers asked users to opt into these things, and which set of policies would be least annoying for the maximum protection. I suppose it also sets a ceiling on the performance impact, but it's not obvious the impact would be the same if the same rules were set at the browser level.
What's the use case for this? Is this for crypto sensitive code or password matching that is vulnerable to timing attacks and such? Or is this for avoiding things like Spectre in a more general sense?