about:blank has the effective origin of its opener (for example, see Issue 742049). I think we've previously thought about actually showing the opener's origin in the omnibox in these cases.

For about:blank that was manually navigated to, we don't treat them as HTTP pages (displaying the "Not Secure" verbose text) at least, instead we just show the (i) and the connection security info in Page Info. While it isn't quite "not secure" in this case, I'd hesitate to ascribe more security to the page than something neutral at best, especially if we don't move to show the opener origin in other cases. Specifically, calling it a "secure Google Chrome page" feels much too strong for a content-less page that is not actually provided by Chrome.

The new tab page doesn't have a security indicator, so I'm not sure how often users would actually run into this.

Another thing to consider is that users very very seldom open Page Info, and that is probably much less for about:blank (which in most cases will either be tied to the opener origin, or transiently visited manually).

I think the solution involving displaying the correct origin (after which we can think about special-casing the legitimate "no origin" case) is blocked on the ongoing initiator-tracking work in  Issue 882053 . Once that's resolved, we can revisit this.