Yes, this isn't even the first cross-domain leakage attack on iframes using CSS. [0] There were similar issues with how hit testing was implemented for `document.elementFromPoint()`[1], and probably tons of other things I'm forgetting.
Ideally cross-origin framing would have been disallowed by default but frames were added to the spec before people spent a lot of time thinking about the same-origin-policy implications.