The Raspbian repo (raspbian.raspberrypi.org) pulls in security fixes from Debian as well.
However, archive.raspberrypi.org is managed manually. The version of chromium we currently ship is relatively old, with many known CVEs fixed in later versions. I'm working on getting a newer version packaged up right now. I try to version things such that security fixes from Debian are picked up in favour of our changes, but most of archive.raspberrypi.org packages don't come from Debian and therefore don't get anywhere near the same level of scrutiny.
I try to keep security in mind as much as possible and if anything slips by and is reported, we'll try to address it ASAP. But, we don't have a security team like Debian does to track every single CVE.