CRM won’t corrupt your ERP data. Frappe CRM uses its own DocTypes (CRM Deal, CRM Lead). It doesn’t touch GL Entry, Sales Invoice, or your accounting tables. Shared DocTypes like Contact and Customer are owned by ERPNext, not CRM. CRM is in my opinion (after ERPNext and HRMS) a stable app.
CRM updates don’t auto-deploy — you decide when to run the update. You can pin versions or update apps selectively.
Separate sites don’t eliminate risk — they add complexity. You’d need webhooks, sync jobs, duplicate contacts. A CRM bug on a separate site still means downtime for sales. What actually protects you is a solid backup strategy, not site separation.
But perhaps there is someone else that can give their 2 cents to this topic.