I've had an unexpected redirect from a hacked Wordpress site in the past. One of the reasons why I will never go without an abuse blocker + NoScript on work computers. I had been trialing going without at the start of that job and lasted a few months but that incident permanently removed any latent guilt.

Non-whitelisted extensions are blocked in Edge, and Edge is the default browser. Chrome/FF are less locked down, more due to incompetence than not trying to be heavy-handed.

…of course, Zscaler with “all Wordpress sites blocked” is also a thing, along with the majority/nearly all of European non-English countries, because god forbid you want to read the emmet docs or something.