"A closed source binary being silently downloaded and executed without explicit action by the user or notification to the same is a security incident."
Whereas source code being downloaded, compiled and run is not? Or a script being downloaded and run?
The source code being downloaded, compiled and run or a script being download and run would be a as much a security incident as what happened.
In this context (Chromium on Debian) having a closed source binary downloaded and executed is an additional problem to the security incident and that's the reason it is mentioned in the statement. There are two problems conflated in the same sentence:
1. A binary was downloaded and executed without explicit user intervention or consent.
2. A closed source binary was downloaded and executed by a primarily free and open source software in a free and open source distribution without explicit user intervention or consent.
So, answering the questions, having the source available would not make it ok but being closed source in this context is a problem on its own.
Yes. If opening a webpage downloaded a script that permanently altered the browser adding or removing functionality without explicit user intervention or consent it would be a security incident. There is even a class of scripts that warrants a special name because of this exactly behaviour: malware.
Considering the more general case of scripts being downloaded and executed in the browser (javascript, for instance) the more apt analogy would be one being downloaded and executed in a system with NoScript installed.
Just like NoScript is a tool that gives its users the power to decide on a case by case basis which scripts are executed by the browser, Debian is a tool that gives its users the power to decide on a case by case basis which closed source binaries are executed by their system.
Preventing this choice in this context is a security incident.
Whereas source code being downloaded, compiled and run is not? Or a script being downloaded and run?