Agreed - iFrame setups can look a lot like an attack themselves.
HTTPS should mean your details are safe while in transit. Which implies that OnePlus' servers may have been compromised, allowing the form input data to be copied in that small window when it has been received and is about to be sent on via the back end. In other words it's a fairly classic man in the middle attack, but without the hassle of having to put the man there in the first place.
The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons. Like you say, at some point you've got to trust someone.