TL;DR:
1. The web platform arm of Chrome's security team aims to focus on isolation and injection mitigations in 2020.
2. Strict CSP is pretty good. Trusted Types is looking promising.
3. Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy are important new primitives that I hope y'all are paying attention to.
4. We should raise the bar for new development to include the mitigations above.