Click-to-play can never be a security boundary, and you don't need to know anything about the inner workings of Chrome to know that it isn't a security boundary.
Any website can induce you to click somewhere using a psychological trick (for example, a "Next Page" link in an article). There would be no reason to be concerned--after all, merely following a link on a webpage can't be unsafe, right? (After all, you know better than to download software from untrusted sources, so you won't do that. You're just browsing pages.) Then it could use script to replace that link with a malicious plugin in the instant just before you are most likely to click. There--bypassed security boundary.
I find this "you don't need to know the inner workings" lesson analogous to a thought experiment I sometimes ask tech people. I quiz them: Can a USB storage drive harm your computer (install malware, etc.) merely by plugging it in, even if you know better than to run any executable files on it? The answer is (1) Yes, and (2) You don't need any specialized knowledge of how USB works to know this--you just need to know about the existence of USB keyboards. The USB device, despite appearing to be a thumb drive storage device, need merely identify itself as a keyboard, and it can start typing malicious commands after being plugged in.
Any website can induce you to click somewhere using a psychological trick (for example, a "Next Page" link in an article). There would be no reason to be concerned--after all, merely following a link on a webpage can't be unsafe, right? (After all, you know better than to download software from untrusted sources, so you won't do that. You're just browsing pages.) Then it could use script to replace that link with a malicious plugin in the instant just before you are most likely to click. There--bypassed security boundary.
I find this "you don't need to know the inner workings" lesson analogous to a thought experiment I sometimes ask tech people. I quiz them: Can a USB storage drive harm your computer (install malware, etc.) merely by plugging it in, even if you know better than to run any executable files on it? The answer is (1) Yes, and (2) You don't need any specialized knowledge of how USB works to know this--you just need to know about the existence of USB keyboards. The USB device, despite appearing to be a thumb drive storage device, need merely identify itself as a keyboard, and it can start typing malicious commands after being plugged in.