I tried to reproduce the bug, but here is what I got:

When latching is disabled and --site-per-process is enabled, back navigation from inside oopif doesn't work at all. I tried back navigating out of the oopif and it worked.

When latching and --site-per-process are both enabled, back navigation from inside oopif works and no crashes happen after navigation, I also tried a combination of scrolling and the navigation, the issue was the same.

It would help me a lot if you attach the trace.
It might be similar to 764248 where wheel_target_ gets destroyed before the wheel end event is sent. (Wheel end event is sent 100ms after the last wheel event.)

Yeah, clearing |wheel_target_| when the view is destroyed fixes the segfault.

However, even with that fix, I notice that after navigating we DCHECK if we try to scroll the page.
DCHECK(!is_in_gesture_scroll_[gesture_event.source_device]);
https://cs.chromium.org/chromium/src/content/browser/renderer_host/render_widget_host_impl.cc?rcl=1ac5b7741ff7b1b9bd8d1d4a91770e1ee1b5b893&l=1193
where the GSB comes from MouseWheelEventQueue::SendScrollBegin.

Presumably, the root RWH is in a gesture scroll when the child is destroyed and the child doesn't generate the necessary GSE to bubble to the root, so the root still thinks it's in a gesture scroll after the navigation.