In the intent to implement thread for the new memory API getMemoryEstimateUASpecific, the concern was raised that returning *all* memory usage will also leak information about the size of cross-origin resources. This has security and privacy implications that make the current form factor unshippable.

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/-xagQ4UJawY

The following workaround has been proposed: create a new feature policy which makes all resource requests [including default no-cors requests] into cors requests. Only websites that opt-in to the feature policy will have access to the new memory API.

Aside: Chrome currently loads cross-origin resources into the same process, and then tries very hard to make their contents/size inaccessible [e.g. canvas tainting]. A sufficiently determined adversary could use spectre to get their contents anyways. With this feature policy, Chrome would prevent the resources from ever being loaded in the same process.