I got serious about blocking ads over 20 years ago, overwhelmingly for security reasons. Today's Internet is far more dangerous than the early 2000s so there is absolutely no way I'd disregard any opportunity to improve my own security.
Windows has always been especially vulnerable, I started blocking ads using the Internet Junkbuster tool back in the late 90s.
Web browser extensions aren't enough. There are plenty of apps, etc. that serve ads these days beyond the web browser. For well over a decade I've been using a combination of a browser extension plus DNS-based ad blocking. And browser based extensions all need to be updated individually. I use uBlock Origin Lite on my Chrome-based browsers, Adguard on my Firefox browsers; I use Wipr on my Mac and iDevices which solely targets the native Safari browser. The system administration load is *NOT* invisible.
For a while I was content using a host file on my Linux-based router (with the custom Polarcloud kernel) to block (most) of this stuff on my home network. But about 15 years ago, it became crystal clear that ad blocking needed to be device specific once regular people started taking Internet-connected devices out of the house: smartphones, tablets, whatever. For Joe Consumer, Internet connectivity moved beyond the computer in the early 2010s.
Today I use some sort of ad blocking extension on my web browsers: Adguard, uBlock, Wipr (for Apple devices) whatever. But those don't protect from in-app ads so there's DNS-level blocking that must be considered. Today I'm using Adguard DNS DoH profiles on my Apple devices.
Create your ad-blocking DNS server that will protect your personal data, prevent tracking and allow you to control access to specific content on the Internet.
adguard-dns.io
I wish I had these sort of ad-blocking tools for other devices like my printer, Nintendo Switch, various streaming sticks, etc. I miss the days of having router-based hostfile blocklists but the world has moved on from that.
If you care about online security, you should be using at least two forms of online protection on every device: one system-wide, another browser-focused. There is nothing new about this. Thoughtful people have been doing this for 15-20 years.
I don't whitelist any site's ads. It's not the site that serves up vulnerabilities, it's a compromised ad network. A legitimate site itself has no interest in exploiting end users. TPU self-hosts a handful of ads and I'm okay letting those creep through since the source has proven to be non-malicious to date. But I will not let any of this site's (or any other site) third-party ad networks to serve up content.
I am not that stupid. I've been on the WWW for 30+ years (since the NCSA Mosaic days), I am not blind to the risks of the modern Internet. And basic protection against these security threats is pretty easy. It takes about a minute to install the Adguard DNS DoH profile on my phone (and no refreshing afterwards). In fact, computer web browser extensions are far more needy of user interaction.
First line of defense should be at the device network level, not at the application level (like a web browser). Sure, add another level of security at your router but know that it does nothing once you walk out the front door (I know some people don't actually leave their moms' basements).
I have used 
