So what of...
Card payment services? Alot of them use an embedded iFrame to offload liability within the PCI-DSS compliance framework. Think of a large company with many different brands taking payments, do you a) Certify each and every site to the top PCI-DSS level 1 merchant compliance with all the security checks that entails, b) Create a separate entity to handle all payments for all sites and use an iFrame to handle the payment (thus meaning no money is put through each individual site but only the payment service, and only needs one site to be fully scrutinised). Or c) Hand it over to a 3rd party provider like PayPal for example... again via an iFrame.