Whether you develop new features on main gated by compile flags or on separate branches shouldn't have an effect on CVE assigments.

I'm pretty sure that setting arbitrary compile flags is enough to cause vulnerabilities in most software.

I personally ran nginx without this feature enabled because it was explicitly marked as experimental and potentially unsafe.