Right. Your reading is much more reasonable. Not as clear as it could be, at least as someone who doesn’t read a ton of these.
Perhaps some managed content hosting allowed iframes for the purpose of inserting arbitrary embedded/shared content?
<iframe width="560" height="315" src="https://www.youtube.com/embed/LbkpMAZuOk0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
Anyway, I’ve been checking to see what site the devs blocklist. Looks to me like they changed their mind, hurrah!