tl;dr if you can navigate to chrome://site-engagement in your browser and you see a list of sites, this “internal” scoring can be used by fingerprinting scripts to better identify you
How it works: Chrome only displays the lookalike phishing protection screens for sites with similar domains to the ones you visit, which can be detected by a server when the site doesn’t load (the warning first appears instead).
Summary from the conclusion:
Lookalike Warnings are arguably a great safety feature that protects users from common threats on the web. It’s hard to balance effectiveness and good user experience, making Site Engagement a vital source of information. However, since disabling Site Engagement or Lookalike Warnings is impossible, we believe it’s important to discuss these features’ privacy implications. For some people, the risk of exposing their browsing history to a targeted attack might be far worse than being tricked by lookalike phishing websites. Especially given that site engagement is also copied into incognito sessions.
I can happily report that from the Cromite Android browser, there is no Site Engagement list, so AFAIK it’s only “impossible to disable” from Chrome itself.
And I’m not sure about their conclusion either, because “allow fancy spoofing warnings for better security, or disable them entirely for better privacy” seems like I heck of a dichotomy. Why not just go with the ugly full page ones and let that be all?
I can see warning fatigue being a problem and trying to avoid the use of the interstitial pages because of that. That don’t want to display the big warning when they’re not confident as then people might ignore those in other contexts (cert errors, phishing/dangerous sites, etc).
I think it may be deliberate
