Add confirmation for the Auto-fill option - the exploit suggests the current warning might not be harsh enough?

Right. Your reading is much more reasonable. Not as clear as it could be, at least as someone who doesn’t read a ton of these.

Perhaps some managed content hosting allowed iframes for the purpose of inserting arbitrary embedded/shared content?

<iframe width="560" height="315" src="https://www.youtube.com/embed/LbkpMAZuOk0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

Anyway, I’ve been checking to see what site the devs blocklist. Looks to me like they changed their mind, hurrah!