I understand the reasoning behind that, but ultimately it should be the user not the website that has control over whether Chrome Frame is activated or not. A user can always visit an IE-only website in FireFox, so it's not creating a new problem there.
Allowing the user control, rather than the website, means the user will get the benefit of Chrome Frame by default rather than as the exception and will stop a potential attacker from getting to choose their attack vector...
Allowing the user control, rather than the website, means the user will get the benefit of Chrome Frame by default rather than as the exception and will stop a potential attacker from getting to choose their attack vector...