FlipSid a third party iframe used to be much more common back in the day. Haven't seen one for a long time, but then again I block stuff with a hosts file, both on GrapheneOS and desktop. Its a file in /etc/ on Ubuntu and /system/etc/ on GrapheneOS that let's you set rules for IP addresses for domains to redirect to. It has 1.5 million lines in my setup, redirecting ad and tracking domains to 0.0.0.0. You need to build it into GrapheneOS to have it on your phone, you can't just modify /system/etc/hosts
uBlock works well, especially in medium mode, which blocks scripts! It doesn't block first party scripts in medium, hard mode doesn't even do that. You can set first party scripts to be blocked too, but hard mode will block iframes at least since it blocks all third party resources. I block all JavaScript, first and third party, using Noscript. I just like it a lot better. So my uBlock only is for Adguard URL Tracking Protection. I also import the Actually Legitimate URL Shortener Tool.
That's on desktop though. On mobile (Android) Firefox lacks proper sandboxing of the web renderer. Unfortunate but it makes Vanadium the clear choice! Stay away from Firefox on your phone, it is too easy for a malicious website to have its data persist on your phone...
Vanadium block ads too! You can set it to block scripts too under "site settings." It blocks Java JIT by default. It is hardened chrome with all the Google telemetry taken out. I looked at all the patches when I compiled Vanadium, and there are a lot, and a lot of great ones that really enhance privacy and especially security! Nothing else like it!
For an example of an iframe, go to this website. the iframe is the box with a login prompt. This is the test site from the Cure53 report. If you put in anything for a username and password it will leak it to the top level website. Not just an autofill issue!