If you think visiting a webpage in Chrome, or any other browser, even inside a VM, is totally safe, especially against a nation-state level actor, I have some bad news for you.
You would literally have to never click on any link that isn't 100% under your own control in that case. Yes 0-days exist, but if I'm in an environment where that level of security is necessary, why do I even have access to a web browser?
If you think that just clicking a link is so dangerous that it needs to be a firing offense, then you should probably lock down the computers so that the browsers cannot view anything besides approved domains.
From the original article which that page links to [0]:
The breach centered around a hacker getting hold of a Microsoft customer support worker’s login credentials; from there, the hacker could dive into the content of any non-corporate Outlook, Hotmail, or MSN account
This is a security concern for any mail that an administrator can read, although it isn't at the same level as being compromised just through parsing an email.
If you are in a high enough position that nation states are burning zero day exploits to launch targeted attacks against you, there should probably be a security professional filtering your email. (This is also a situation where disabling Javascript would be very reasonable.)
For the remaining 99.999% of the population, I really don't think opening a web page in an up-to-date browser is cause for concern. Certainly if that browser is also in a VM. People have more pressing concerns in their lives.
