It would also be great to add the possibility to manually disable certain TLS protocols and ciphers   (e.g. TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d))   via chrome://flags/  

Generally, we're very careful with these sorts of removals because they can make sites inaccessible in all sorts of bad ways. Deprecating a cipher is a careful consideration of its usage and utility against any security issues.

+some network folks for more comment on this.

Note the current Chrome Stable is 69, so you likely want to update.

As dominick mentioned, the choice of deprecations are carefully balanced against the risk to users versus the compatibility risk, in line with https://www.chromium.org/blink/removing-features and consistent with https://www.chromium.org/blink#new-features ) 

You can disable ciphersuites and TLS versions via the command-line. There are no plans to expose this chrome://flags, which is intended only for temporary usage.

--ssl-version-min (which takes a value of "tls1", "tls1.1", "tls1.2", or "tls1.3")
--cipher-suite-blacklist (which takes a comma-separated list of hexadecimal ciphersuites from https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 - e.g. "--cipher-suite-blacklist=0x0004,0x0005")

Marking WontFix, as the requested functionality is present as far as we'll extend support for it. The Cipher Suite Blacklist is intentionally not exposed via Enterprise Policy, but SSLVersionMin is exposed ( https://www.chromium.org/administrators/policy-list-3 ).