--allow-file-access-from-files is a bad idea
Imagine this is some webpage you want to reference offline.
Right click and pick "Save As.." and save it locally. Now run chrome with
then double click the file. You'll likely see it is able to read local files from your hard drive. It could just
as easily transmit those files to a remote server.
You may say you never save HTML files locally. That's not the point. The point is you disabled security. Here's one example
to show there are issues. There are likely more issues. For example any 3rdparty library you download could be doing this. You include the library in your project and it starts uploading your files to some remote server.
The point is not to enumerate every possible issue. The point is why take the risk? Instead of using
run a simple server for your dev.