It's actually somewhat interesting why it may be acceptable for Cloudflare to run a security model that Chrome isn't comfortable with: Every V8 exploit isolate escape is a Cloudflare platform compromise. The thing is: when such an exploit is discovered Cloudflare can roll their platform relatively quickly while Chrome users will only update over days to weeks. Hence, it can be considered OK to not have a defense in depth. Still, I sleep much better now knowing that I can rely on OS/CPU level isolation and rather than hope for the best that no V8 zero day hits my worker.
Yeah, we used to run on our "edge functions" on CF, so, for better or worse, I know the stack and the threat model very well. One reference point: Chrome does not consider the v8 isolate boundary sufficient and instead does per site process isolation.