is there a possibility that such a mixed mode could arrive in the future? E.g. SetEnhancedSecurityModeExemptDomains("contoso.com") which lets you say "Turn on ESM for all non-contoso sites"?

Could be

enum CoreWebView2EnhancedSecurityMode
{
    Off,
    On,
   // future: OnForUntrustedDomains
}

runtimeclass CoreWebView2Profile
{
    CoreWebView2EnhancedSecurityMode EnhancedSecurityMode { get; set; }
}

?

Right now, ESM does two things. Suppose that we later think of a third thing. Would we

1. Add it to the things you get when you enable ESM
2. Make it another tier of ESM that apps have to opt into [IsEnhancedSecurityMode =very true]
3. Make it an entirely separate feature (Super-Secure Mode) that apps have to opt into separately from ESM

My expectation based on reading "enabling additional OS protections" is that a third thing could already quietly light up when ESM is on.

If we create this as an enum to make it extensible, should probably be { Off, Strict } (instead of "On") since 3rd+ values (e.g. "Balanced" being supported) would be different flavors of "on".

yes, in coming APIs we will add support to exempt origins, we can have something like SetESMBypassList: to always not apply enhanced security and SetESMEnforceList: to always apply enhanced security for the origins in the list, irrespective of the ESM level for that profile.

We’re looking to introduce a unified API later for origin-level configurability, since there are several features like tracking prevention, SmartScreen, ESM, and others with origin exemptions capability.

it makes sense to have off and strict enums instead of off and on. We may support balanced mode in future