Note that headless needs an ability to disable site-per-process for performance reasons and easier consumption of DevTools protocol.

To take it further, all the existing production scenarios for headless are around automation and we actively don't want site isolation / oopifs there. In fact, we'd like the opposite such as enforcing fine-grained control over renderers for site so that we could manage and run arbitrary sites in given renderers.

RE: #c2: all the existing production scenarios for headless are around automation and [therefore] we actively don't want site isolation / oopifs there

I don't think I follow :-(

1. Even after all the OOPIF bugs are fixed, there will still be scenarios where website's behavior may differ with and without OOPIFs (e.g. see the race between postMessage and layoutissue in issue 828529 and the explanation in https://developers.google.com/web/updates/2018/07/site-isolation#full-page_layout_is_no_longer_synchronous).

2. If there is a risk that the website behavior differs with and without OOPIFs, then I assume we want the automation scenarios (production and test) to behave in a way compatible with the product that we ship (i.e. with Chrome).

1 + 2 would imply to me the we *do* want site isolation in //headless...  Otherwise //headless might give back different results (e.g. screenshot results) than Chrome would.

BTW: I also assume that security benefits of Site Isolation are also relevant for at least _some_ automation scenarios.  I can see that credentials/secrets worth protecting against cross-origin access may be more rare in automation scenarios, but I assume they still exist (e.g. I assume that it is theoretically possible to run a //headless browser with the same user profile directory as the one used by the real Chrome browser).